An API is an invisible ribbon that allows applications to share data to improve end-user experiences and outcomes. The number of APIs used by enterprises is growing rapidly; nearly half of all enterprises have between 50 and 500 APIs deployed internally or publicly, with some having over a thousand active APIs.
Many APIs are directly connected to back-end databases that store sensitive information. As a result, hackers are increasingly targeting APIs as a way to access the underlying infrastructure to steal sensitive data. Today, one in 13 cybersecurity incidents can be attributed to neglected API security. As digital transformation multiplies the number of APIs in production, this number is expected to increase in the coming years.
API Security Risk Differs Between Industries
“Quantifying the Cost of API Insecurity,” a study conducted by the Marsh McLennan Cyber Risk Analytics Center, reveals significant differences between industries. IT companies (18% to 23%) and providers of knowledge-intensive services (professional services) such as tax firms, management consultancies and accounting firms (10% to 15%), as well as online retail (6% to 12%), are proportionately the most affected by API security breaches.
Manufacturing, transportation, and utilities are in the middle of the pack, each accounting for four to six percent of security incidents resulting from API vulnerabilities, followed by finance and insurance at two to four percent. Education service providers are estimated to suffer only two to three percent of cybersecurity incidents due to vulnerabilities in APIs, with healthcare bringing up the rear at 0.5 to one percent.
Goal Must Be to Know All APIs And Protect Relevant Enterprise Data
“Without a strategy and targeted action, enterprises around the world will continue to suffer large annual losses from API security breaches,” said Kai Zobel, area vice president at Imperva. “To mitigate the increasing API security threats, companies need to know all their APIs and understand what relevant data flows through each API.”
Experts estimate that around nine to ten percent of all cybersecurity incidents in Germany are related to API vulnerabilities. The reason for this could be complex software supply chains in companies. A high number of APIs and a large volume of data flowing through them also increase the likelihood of an API-related security incident.
Three recommendations for API security:
1. Identify and classify relevant data from all APIs
Transparency is critical to understanding the complete schema of each API and identifying and classifying the data that flows through it. This is the only way to assess risk.
2. Automate API discovery
APIs are created quickly and changed frequently, making them a blind spot for many companies. Through automation, companies can prevent rogue APIs or APIs from so-called shadow IT. In addition, automated API inventory gives the security team visibility into when developers change APIs in production.
3. Manage APIs systematically
For companies in highly regulated industries, an API governance model is critical. In such API governance, programming interfaces are inventoried. This requires monitoring that goes beyond the API endpoint to include the underlying payload so that sensitive data can be adequately protected.
“At the root of every API security breach is data,” adds Kai Zobel. “Protecting APIs requires a mindset shift. It’s about focusing on classifying data and understanding how each API accesses data in production. This approach requires security and development teams to work together to embed security into the development lifecycle. Until that happens, cybercriminals will continue to exploit vulnerable APIs to steal sensitive data at scale.”