API: A key enabler of digital transformation
Application Programming Interfaces (APIs) are an essential part of digital transformation and application modernization efforts within organizations. In hindsight, it is clear that APIs connect the world. They have been around for over twenty years and are used in a massive way to deliver services —from the weather forecast on your mobile phone to the configuration of pipeline equipment.
However, what has dramatically changed over time is the sensitivity of the data that is exposed through those APIs. In the past, APIs were not of interest to hackers, but today they can provide access to extremely sensitive or confidential information – a real gold mine for cybercriminals.
The perfect storm for threats
Noname Security’s recent report, The API Security Disconnect 2023, highlighted the alarming trend of escalating API security incidents. The report found that 78% of security professionals experienced an API security breach in 2023.
There are several reasons that might explain this increase in attacks targeting APIs and make them a good entry point:
- Exponential growth of APIs: APIs are used everywhere, and it is difficult to control this explosion of consumption and identification of APIs.
- Integration into application logic and business: APIs are increasingly integrated into the application logic and business of applications. These APIs are hidden in the stack and are not necessarily easy to identify.
- Increased attack surface: Twenty years ago, applications were like fortresses —monolithic, very stable and secure, and rarely updated. Today’s modern application stacks are agile and fast to deploy, but with higher levels of exposure —frequent updates and easier access create more vulnerabilities for hackers to exploit. The explosion of cloud-native APIs and limited cloud security maturity in organizations creates a higher risk of accidental exposure.
- Security chain bypass: While organizations are aiming towards zero trust and have very powerful perimeter security mechanisms in place, going through an API can ultimately be a weak entry point to bypass this security chain.
How to adapt API security to this evolution?
Until now, there was a persistent belief that organizations could rely on web application firewalls (WAF) and API gateways to protect themselves against API attacks. While these components are essential security controls for APIs, they are no longer sufficient in today’s threat landscape as they have not been designed to understand the context of API transactions and the associated business logic.
Recently, we have seen a change in the mindset of security decision-makers. 81% of them now believe that API security is more important than it was a year ago, and CISOs are taking proactive steps to prioritize it within their security strategies. API security is evolving with two major trends: a growing need for behavioral approaches like dynamic API security, and a focus on ‘shifting security left’ by embedding security throughout development.
Trend #1: Dynamic API security and AI
The focus is now on implementing more dynamic security, with identification and analysis of behavioral anomalies. Like other aspects of security, we have shifted from a signature-based to a behavioral-based anomaly detection.
In concrete terms, next-generation API security platforms can help to identify a breach by detecting behavior that deviates from the traditional usage pattern. For example, in a sports application, a typical user would log in, authenticate, and access their profile. However, an anomaly would be raised if an account suddenly starts viewing a massive amount of other users’ data without authorization. This suspicious behavior signals a potential breach in progress.
There seems to be a market consensus that behavioral analysis has to be driven through machine learning (ML). By modeling behaviors with different parameters and dimensions, it becomes possible to detect deviations and anomalies. Ideally, the use of specialized models that can run locally within an organization might remove the need for massive data lakes hosted abroad. This localized analysis capability also meets the requirements of certain organizations, particularly those with strong regulations or security constraints, which would require data to stay within the organization’s perimeter.
The use of AI in API security can also deliver added value to customers. Noname Security is already embracing this opportunity within its platform by providing a tangible description of an API purpose within a customer environment using a private large language model (LLM). Let’s take the case of a security analyst: such information provided with a human-readable description will help shorten the analysis chain during an incident. Noname is also looking to add more AI-based value-add functionalities in the near future with the goal of simplifying and accelerating security operations.
Trend #2: Shifting security left
When we talk about behavioral analysis to spot anomalies, we are implying a reactive approach where the flaws are already exposed in production. Take the case of the Peloton applications – the fitness equipment vendor had several security flaws in the APIs of their apps, allowing unauthenticated individuals to access sensitive data such as the location and personal data of all Peloton users, i.e. three million subscribers, including US President Biden.
Unfortunately, cases like the above-mentioned Peloton app breach are all too common. Applications in production often have security gaps, leaving them vulnerable to attacks. The trend in 2024 is to shift left and adopt a proactive DevSecOps approach for API security. This means identifying and fixing security problems earlier on in the development process, rather than waiting until they are already in production, for example by scanning modern stacks to see if a vulnerable module is being applied.
This is especially important because it is much more expensive for an organization to patch an API already in production, or even to have to shut it down to fix any potential security issues. IBM estimates that design-stage bugs cost 6x less to fix than at the implementation stage, and post-release defects cost 4-5x more than during design, and 100x more than during maintenance-stage. The earlier you find them, the cheaper it is to fix.
In the case of APIs, testing should be dynamic and take the API business logic into account, which is not something that has been addressed so far by classical web testing solutions. This is also an area where Noname Security is innovating by providing a smart module in its API Security platform that delivers automated and dynamic APIs testing, typically during the build phase of the development cycle.
A new emerging Trend: The hidden risks of AI in the API landscape
A new threat also emerges with the rise of AI, and more particularly Generative AI. APIs are essential for connecting various components in AI pipelines, but they can also open security vulnerabilities, such as:
- Model manipulation: Pre-trained models accessed through APIs are attractive targets for attackers. By compromising an insecure endpoint, malicious actors could feed the model with poisoned data, potentially altering its predictions and outputs. This can manipulate results, introduce bias, or even lead to harmful decisions.
- Data exfiltration: Corporate AI platforms often process sensitive data, including Personal Identifiable Information (PII). If APIs that are used to expose data to other services lack proper security controls, attackers could exploit them to exfiltrate this sensitive information. This exposure can lead to data breaches, privacy violations, and reputational damage.
In this context, it is worth noting the GraphQL query language is emerging as a standard in 2024 for interacting with LLMs. While REpresentational State Transfer (REST) – an architectural style for APIs – remains the most widely used API standard today, GraphQL offers several advantages for LLMs, including increased flexibility for customized queries, better scalability, and improved developer experience. This shift also brings new attack patterns specific to the GraphQL protocol, which will need to be addressed by the organizations.
Recommendations for optimal API security posture
Implementing API security approaches is easier said than done. The initial hurdle? Mapping out an exhaustive and up-to-date inventory of all organizational APIs. CISOs are left to wrangle a tangled mess of existing APIs, sometimes tracked with archaic methods like Excel spreadsheets.
But the struggle doesn’t end there.
While 72% of organizations believe they have a complete inventory of their APIs, only 40% have the crucial visibility into which APIs expose sensitive data.
To improve API security, the view of Noname Security is to adopt a holistic 360° strategy, based on four main pillars:
- Discovery: Build a comprehensive, real-time inventory of your APIs and classify the data they expose, this to assess associated risks.
- Posture: Identify exposed APIs, map vulnerabilities, and assess dormant risks to minimize threat exposure.
- Runtime: Leverage AI to analyze user activity, trigger alerts on abnormal behaviors, and automatically respond to incidents in real-time.
- Testing: Embed automated and dynamic security testing throughout the development lifecycle to identify and fix APIs security risks before they hit production.
The journey towards optimal API security requires constant vigilance and adaptation. Leveraging the power of AI and extending the DevSecOps approach to APIs can help you build a comprehensive defense strategy for 2024.