API security ‘arms race’ heats up

Enterprises are starting to catch on to the massive security risk that the pervasive use of application programming interfaces (APIs) can create, but many still need to get up to speed.

Poorly secured APIs have been recognized as an issue for years. Data breaches of T-Mobile and Facebook discovered in 2018, for instance, both stemmed from API flaws.

But API security has now come even more to the forefront with enterprises across all industries in the process of turning into digital businesses — a shift that necessitates lots and lots of APIs. The software serves as an intermediary between different applications, allowing apps and websites to access more data and gain greater functionality.

The implication of APIs in high-profile hacks such as the SolarWinds attack is also spurring more companies to pay attention to the issue of API security — though many still have yet to take action, says Gartner’s Peter Firstbrook.

“In most organizations, when I ask them who’s responsible for API security, there are blank stares around the table,” he said at the Gartner Security & Risk Management Summit — America’s virtual conference this week.

That needs to change, said Firstbrook, a vice president and analyst at the research firm. API security vendor Salt Security reported that its customer base saw a 348% increase in API-based attacks over the course of the first six months of 2021.

“APIs are an increasing attack point,” Firstbrook said. “The internet runs on APIs. There’s a huge need for API security.”

By 2022, the vast majority of web-enabled apps—90%—will have more surface area exposed for attack in the form of APIs than via the human user interface, according to Gartner research.

“This is a call to action [because] most of our security testing focuses on dynamic application security testing of the user interface,” said Neil MacDonald, a vice president and analyst at Gartner, during another session at the research firm’s conference this week.

“We’re saying, the bulk of the application is below the waterline—it’s APIs,” MacDonald said. “It’s program-to-program, system-to-system, application-to-backend—API calls. Those are now the new surface area for attack. They need to be part of your overall security strategy.”

Momentum in the market

Increasingly, businesses are starting to get the message. There are signs that more customers are investing to secure their APIs, while the number of products in the space also continues to expand.

Salt Security, which was founded in 2016 and has offices in Silicon Valley and Israel, has revealed the names of numerous customers including The Home Depot, data center operator Equinix, and telecom firm Telefónica. To fuel its growth, the company has announced raising $100 million over the past year, including a $70 million series C round in May.

A newer entrant in the space, Noname Security, reports rapid traction for its API security product since launching it in February.

The startup already counts among its customers two of the world’s five largest pharmaceutical firms, one of the world’s three largest retailers, and one of the world’s three largest telecoms, said Karl Mattson, chief information security officer at Noname Security. The Palo Alto, California-based company has raised $85 million since its founding in 2020, including a $60 million series B round in June.

Other firms with notable API security offerings include Akamai, Ping Identity, 42Crunch, Traceable, Signal Sciences (owned by Fastly), and Imperva—which this year bolstered its API security platform with the acquisition of a startup in the market, CloudVector.

Additional startups in the space include Neosec, which came out of stealth in September and announced a $20.7 million series A round, while established vendors that have introduced API protection features include Barracuda and Cloudflare.

But as evidenced by the Salt Security report on increased API-based attacks, it’s not just the defenders that are ramping up around the API security issue.

“It’s an arms race right now,” said Noname’s Mattson. “I think attackers are seeing that APIs are not overly complicated to attack and to compromise. And similarly, the defenders are rapidly coming to the realization, too.”

API exploits

The most frequent API-based attacks involve exploitation of an API’s authentication and authorization policies, he said. In these attacks, the hacker breaks the authentication and the authorization intent of the API in order to access data.

“Now you have an unintended actor accessing a resource, such as sensitive customer data, with the organization believing that nothing was awry,” Mattson said.

This so-called “leaky API” issue has been behind many of the highest-profile breaches related to APIs, he said.

Another issue is that API calls are now being used to start or stop a critical business process — for instance, a broadcasting company that initiates a broadcast stream or a power company that turns a home’s electricity on or off using an API call, Mattson said. That level of dependence on APIs raises the security stakes even further, he said.

Firstbrook said that the API security aspects of the SolarWinds attack also show how pivotal the issue can be.

Through the malicious code implanted in the SolarWinds Orion network monitoring software, the attackers gained access to an environment belonging to email security vendor Mimecast, he noted. And Mimecast — because it provides capabilities such as anti-spam and anti-phishing for Microsoft Office 365 users — had access to the Office 365 API.

Thus, through the Microsoft API key, the attackers gained access to the Exchange environments of a reported 4,000 customers, Firstbrook said. Mimecast, which published its report on the incident in March, declined to provide further comment to VentureBeat.

Ultimately, it’s clear that there is a need for a much greater focus on API security across industries, Firstbrook said.

“Part of the supply chain is built on APIs,” he said. “We really have to build a best practice around managing and understanding APIs, and securing APIs.”