Partner Content: As app usage explodes, organisations need to double down on API security
Applications power today's enterprises, and APIs serve as the connective tissue between each app, website, or service. APIs enable different software components to communicate with each other, making API-based architectures essential in modern software development. They allow developers to easily integrate data and services from other applications into their own, providing a simple way to share data.
Edward Roberts, Senior Director of Marketing at Akamai said that APIs are now business critical to the smooth running of both enterprise, business-to-business, and customer-facing applications.
"Applications are connected together by APIs. So if you book a hotel, order a car, use a map, eat at a restaurant, see a doctor, check the weather, use social media, all of those applications are using APIs. It's a labyrinth of connections that share data between businesses, partners, and vendors."
He explained that there are several types of API with different functions. "Organisations typically have APIs connecting internal apps, but they most certainly have APIs that connect to the outside world. This idea that all of your data is within your network, protected behind firewalls, and hackers have a challenge to break into the network is old fashioned. It has been turned on its head because by using APIs businesses have opened up its core processes to the outside and granted access to any data flowing within each API. Of course, best practice is that you must be authorised and authenticated to gain access to any API, but valuable data is within these connections. If data is the new oil, APIs are the new pipelines."
API security is a growing issue
Regardless of the type, this exponential growth of APIs has created a massive attack surface and introduces vulnerabilities into an organisation if not properly configured and managed. And because APIs often handle sensitive data, attackers can obtain thousands or millions of valuable records with just a single compromised API.
In Akamai's 2023 State of the Internet report, application and API attacks surged by 49 per cent from Q1 2023 to Q1 2024, with 108 billion API attacks observed in this period.
Poor API visibility, weak authentication, inherent vulnerabilities in the code, or misconfigurations in API business logic are just some of the factors weakening API security and allowing unauthorised access. As more APIs are deployed every day, this growing attack surface has proven to be an appealing target for adversaries.
"As APIs proliferate, so do their risks. More APIs are used to connect more applications, companies, suppliers, and customers, and over time, this network of APIs has exponentially expanded around the globe, touching every digital experience."
Organisations are dependent on APIs, so keeping them secure should be a key consideration for IT teams. This is a relatively new area of security and as such, there is a lack of knowledge on how to secure APIs and a lack of understanding that traditional security tools were not built to secure modern digital environments.
"You have this confluence of activities resulting in more API attacks," said Roberts. "API breaches, according to Gartner, are ten times larger than other breaches. Security teams need to understand that this is where the attackers have moved to because, in many organisations, APIs are largely under-protected. Every company should be worried about how it protects its customers' APIs.
"Not too long ago, security teams may have concluded that API attacks were only a potential threat. But the reality now is that breaches involving APIs are more frequent and recently the US Government has begun issuing fines for breaches involving APIs. The problem is real and security teams must have the mindset that a solution for this problem is critical."
Looking to the future, APIs are only going to become more important with the rise of AI. Specifically, GenerativeAI and Large Language Models (LLMs) are driving greater volumes of API usage. Behind the scenes, the prompts and responses are all powered by a network of APIs. "APIs are the plumbing behind GenAI so there's going to be security concerns that must be addressed. AI is adding to the scale of the API security problem."
API sprawl
The old security adage that you can only protect what you see is the first problem security teams face. Because of the ever-expanding number of APIs within each company, API sprawl is a painful reality. Getting visibility and creating an inventory of APIs is the first step in creating a modern API security program.
"During Akamai's API discovery process, it's not unusual to find 40 per cent more APIs than was estimated by the security team", said Roberts. "There is a big difference between what our customers expect and what is actually discovered. Inventories are bigger, and subsequently the attack surface is larger than anticipated. And every day, new APIs are deployed and the inventory changes."
Recently, Akamai reinforced its dedication to API security by acquiring Noname Security. This acquisition strengthens Akamai's current API security offerings and
enables it to respond more effectively to rising customer demand and evolving market needs as API adoption continues to grow.
"The Noname acquisition also brought API testing capabilities to our API Security offering. As part of a Shift Left strategy, Akamai customers can now test an API before it's deployed and make sure any misconfigurations or vulnerabilities are fixed in pre-production."
While Web App and API Protection (WAAP) offers an additional layer of security beyond web application firewalls, WAAPs alone are not enough to fully defend against API abuse. API attacks typically take place over a period of time, so stopping them requires a more detailed understanding and monitoring of API traffic.
Akamai now offers a comprehensive API security suite, enabling customers to discover shadow APIs in any environment, test them before they are deployed, detect vulnerabilities, and identify runtime attacks.
Click here to learn more about Akamai's solutions.
This Article is sponsored by Akamai