By Ali Cameron
In the last two decades, businesses have evolved in many ways. They’ve become more digitally enabled, leveraged cloud-based technologies, and expanded their access to global playing fields. Another important shift has the relationship businesses have with data.
Today, companies have more access to data than ever before. From customer information to operational metrics and system performance, many companies are capturing and analyzing large swathes of data every day. This trend has led to the emergence of data-driven businesses that use the information they have available to them to make decisions around how they build out their roadmap, where to improve their performance, and how best to interact with their customers.
To get this right, a data-driven company needs to have a carefully crafted software application architecture. Applications and systems should be able to share data seamlessly, making it easy to review and analyze information to guide processes and decisions. At the heart of this architecture are application programming interfaces (APIs), which are key to facilitating the transfer of data from one place to another.
As data-driven businesses become increasingly reliant on APIs, however, they expose their business to more risk. APIs have become an appealing target for cybercriminals that seek access to corporate data, with the number of attacks growing steadily. In this article, we’re taking a closer look at why this is and how data-driven companies can do more to protect their valuable information.
The risk of APIs for data-driven businesses
APIs have been instrumental in accelerating the growth of data-driven enterprises. They ensure crucial connections to data and services, enable critical business operations, and empower digital transformation possible. The problem is that all the benefits of APIs are also what make them prime candidates for attacks. If a bad actor is able to compromise an API — whether that’s by leveraging a user’s authentication or capitalizing on a logic flaw — they can get direct access to critical data and cause significant issues for the business.
API attacks have been growing steadily over the last few years. In fact, according to the Salt Security API Security Trends 2023 report, the number of API attacks spiked 400% at the end of December 2022 compared to a few months earlier. The report also cited that 94% of respondents had a security issue with their production APIs in the previous year. Issues included vulnerabilities (41%), authentication problems (40%), sensitive data exposure or privacy incidents (31%), and security breach (17%).
These attacks not only put the company’s data at risk, but they can also pose a significant financial and reputational burden. Today, the average cost of a data breach is estimated to be $4.35 million.
The challenge with securing APIs
To stay ahead of these threats, businesses need to be proactive in protecting their data, and that requires a robust API security strategy. However, it’s important to note that this strategy can’t rely on traditional security solutions like web application firewalls, API gateways, or identity and access management. These technologies weren’t developed to prevent attacks on APIs as they don’t account for their unique challenges:
- The API ecosystem is constantly changing. A rapid pace of development means that it’s close to impossible to be aware of all new and changed APIs. As a result, documentation is often incomplete or out of date, making it unreliable.
- Cybercriminals use a different approach when attacking APIs. Instead of following a “one-and-done” method that’s typical for most cyber attacks, bad actors understand that every API is unique and that they have to take their time crafting unique attacks that exploit business logic gaps. This makes it more difficult for traditional security methods to protect against them.
- Shift-left tactics don’t go far enough. While developers are introducing security testing earlier in the production lifecycle, these systems aren’t well equipped to uncover vulnerabilities that might result from API business logic gaps.
The good news is, these challenges can be mitigated with the right API security measures.
How data-driven businesses can better secure their APIs
When we talk about securing APIs, there are two core areas that need to be considered: development and testing, and production. Below is a list of best practices for each area that can help improve a company’s API security posture.
Development and testing:
- Establish secure coding and configuration standards for building and integrating APIs.
- Reduce exposure to sensitive data.
- Conduct design reviews that account for business logic gaps.
- Document all your APIs and maintain an accurate API inventory.
- Run security tests to identify configuration issues or vulnerabilities.
Production:
- Use logging and monitoring tools to detect attacks and respond to incidents.
- Leverage mediation tools to improve visibility and security.
- Implement automated tools to determine and log when an API has changed.
- Use the right combination of network security controls.
- Embed continuous authentication and authorization in your APIs.
- Deploy runtime protection functionalities.
Companies that successfully deploy these strategies are not only able to reduce their risk exposure, they’re also better positioned to make the most of their APIs and drive their business forward. That’s a win-win in our books.
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora.
