APIs have undergone immense leaps in capability and ubiquity over the last decade. As 2023 unfolds, however, the danger presented by the now fully-fledged API industry cannot be understated. And yet, Google’s recent study on cloud API security displays a few worrying trends the worst of which may be the persistent overestimation of how well preexisting API security solutions are performing.
The Growth of the API
APIs first sprouted up within the development process for different apps to communicate with one another. Built by devs for devs, APIs gave teams and individuals a means to interact with and call each other’s code.
Nowadays, APIs have grown from the grassroots tool of the up-and-coming dev team to mainstream tools built throughout entire business operations. Since APIs have now gained business suits and places in the boardroom, APIs themselves have largely shifted toward bonafide products, with core capabilities and data access capabilities that span the entire enterprise.
APIs now find themselves deeply embroiled in legacy modernization, data liberation, and the creation of new application capabilities. Ultimately, APIs are indirectly responsible for swathes of recent software innovations.
Industries haven’t just embraced APIs; many have become solely reliant on them. Without APIs, most software simply would not exist in its current state.
The breadth and depth of examples underpin their true importance today, from the Google Maps API to Amazon’s inventory-detailing API and Yelp’s API that helps users find places to eat. These APIs are vital not just for data extraction, but their very mechanics form the backbone of modern customer experience.
The shift toward APIs is reflected throughout today’s application architecture: pre-API software was built largely as one monolithic whole. Now, systems can be broken down into smaller and easier-to-manage components.
While APIs continue to prove their worth, a growing threat has also recognized the potential of the API.
The Dark Underbelly of API
A recent study by Google found that within the past 12 months, at least half of all surveyed businesses have experienced an API-related security event. Digging deeper into the incidents reported by the over 500 technology leaders, researchers were able to categorize the three most troublesome issues surrounding API usage.
40% of all respondents suffered an incident following misconfiguration, with a third coping with both outdated APIs and spam and abuse bots alike.
Even more concerning than the sheer numbers alone is the fact that these API issues continue to escape the testing phase. More than 60% of companies discovered the issues in question during either development or deployment, discovered via real-time monitoring.
Alongside the majority of these misconfigurations and abuse attempts, most companies continue to ascertain that everything’s fine over three-quarters of those asked claimed that they still feel confident that their preexisting API security solutions can prevent attacks.
Unfortunately, this confidence is not entirely reflected in the growing bodies of evidence that suggest otherwise.
The ramifications of this overconfidence aren’t limited to those guilty organizations, either. While 46% of surveyed organizations limited the use of APIs to solely within their own company, the majority of tech leaders (54%) allow the continued usage of their in-house APIs by partners, external developers, and customers to spur open-source and third-party development.
Not only is the API landscape inherently scattered and piecemeal, with inconsistent documentation and security solutions, but the shared nature of APIs opens the door to security oversights that set entire industries alight.
Securing Today’s Biggest Cybersec Battleground
Since 2020, API-incited security breaches have caused between $12 billion to $23 billion in losses globally. As Google’s security report shows, nearly every single company included had already made the leap to cloud-based operations.
93% of companies within the Google report characterized their ops as “mostly cloud”; accordingly, the number of companies reliant on on-prem architecture has dropped to half its 2020 levels. The attack surface has never been greater, with the average company now managing three times the number of APIs at 15,600 compared to a year ago.
Securing the swathes of APIs that continue to gunk up the DevSecOps queue is no small feat. Thankfully, next-gen security solutions have reduced the complex intermingling of programs into two distinct steps to security.
Discovery is the first component. Managing that number of APIs manually is simply an impossible task. With an automated approach to API discovery, it becomes possible to map out and identify all endpoints operating within your organization.
For next-gen security, this should also include undocumented and shadow APIs. From there, an automated script begins to identify the data being handled by each API.
This classification process allows an organization to press a reset button on its API security. Instead of chasing after alerts, API security levels the playing field by identifying potential at-risk APIs ahead of time. This is thanks to the identification of contextually sensitive data that constantly adapts to the ever-switching structures after updates and modifications.
Once a company has a handle on the full extent of its API landscape, it then becomes possible to eliminate data leakage and API abuse.
Fundamentally, however, one aspect that Google pointed out within the study is the importance of even next-gen API security to integrate seamlessly within an end-to-end security strategy.
The overall value and protection your security suite provides are only as good as the weakest integration. This is one area where a comprehensive security provider offering everything from site to API protection can offer a major advantage over their smaller, plug-and-play counterparts.
With all security features managed by a single provider, the organization can focus more heavily on its mid to long-term security strategy. When all security tools fit seamlessly into not just the business operations but also with one another, it becomes possible to eliminate DevSec oversight, even in the highly fractured world of APIs and microservices.
