Application Programming Interfaces (APIs) pretty much run the internet. In 2017, it was estimated that 70% of the internet traffic was APIs. In 2020, this number was over 80%. Any business with online services, now uses APIs to operate these services. This means that any disruption of any kind to these APIs will hurt the business. So APIs are critical to the modern business and that’s why Aiculus has spent the last five years researching and developing innovative ideas to help businesses secure their API infrastructure. Here is a summary of four important facts about APIs.
- Digital transformation almost always involves APIs.
In the last few years, many organisations have started digital transformation programs aimed at modernising their technology platforms with the aim of improving their online service delivery. Almost each of these transformation initiatives has involved the introduction or enhancement of an API powered platform to scale product development and ultimate deployment for customer use. The main advantage of this approach is to automate product iteration and updates, to keep up with customer demand and to allow for ongoing, frequent feature releases and other product improvements.
- API attacks are increasing.
It is not a surprise that as organisations increasingly rely on APIs for critical business operations, the same APIs will be the key target of hacking and cyber-attacks. In 2022 alone, large companies in USA and Australia have become victims of API attacks that have caused major inconveniences to the companies and their customers. According to the 20222 Aiculus API security Market report, an API security vendor survey found that the number of API security breaches increased by 117% globally in 2021 alone.
- Legacy APIs still under the radar.
Most organisations use an APIM (API Management platform) to connect to their existing back-end services and create complete API products which can be served to their customers, internal users and other partners. The API also includes an authentication and authorization mechanism to verify and validate API users and incoming API requests. However, not all of the systems end up being connected or being monitored by the APIM. The so called legacy systems or legacy APIs still fly under the radar and are essentially unknown. This presents a security risk because an attack on such an API is likely to be successful mainly because it is not subjected to the same security controls and security monitoring that other APIs have.
- Layered security is a must for API platforms.
A very common approach that many organisations use for security is to concentrate security at the perimeter where a combination of the Web Application Firewall (WAF) and API Gateway are the main security providers. This approach provides authentication, authorisation and throttle control for incoming API requests which are essential for securing APIs. However, these systems cannot help with authentication bypass attacks and payload embedded attacks where the malicious code is hidden within a seemingly legitimate request. Unfortunately, over 80% of attacks since 2020 now happen post-authentication, meaning once the request has gone through the perimeter. For these types of attacks, an additional layer of ‘post-auth’ security screening is required.
The value of APIs to organisations is quite obvious, they enable automation, innovation and optimisation. As a result, businesses are leaning into API platforms and taking advantage of all that these platforms have to offer. As they do this, it is important that executives and security teams fully understand that cybersecurity is the biggest risk facing API platforms. So the scale of API modernisation must be matched with appropriate API security design and technology tools. It is convenient to have a single tool that does it all but this is not enough with APIs. There needs to be a layered security approach which authenticates and authorises APIs at entry and screens authenticated API requests once more before the requested service can be rendered.
About the Author
Dr. Omaru Maruatona is CEO of Aiculus, a technology company that specialises in cybersecurity and Artificial Intelligence. Omaru has previously worked at PwC Australia in cybersecurity architecture and strategy; and before that as a Security Engineer at Computershare; and as an Artificial Intelligence (AI) researcher responsible for researching, prototyping and recommending an AI framework to boost a large Australian bank’s fraud detection and internet banking security capabilities. Omaru is a mentor and advisor for an Australian cybersecurity business accelerator and British venture capital firm.