APIs are everywhere, but API security is lacking

As the number of APIs spreading across the corporate infrastructure continues to grow, they’re fast becoming the largest attack surface in applications — and a big target for cyber attackers. 

The rise of increasingly integrated web and mobile-based offerings requiring data sharing across multiple companies’ products and the reliance of mobile apps on APIs has fueled growth and made API security one of the biggest challenges for CIOs today, industry experts say. A 2022 survey by 451 Research found that 41% of respondent organizations had an API security incident in the last 12 months; 63% of those noted that the incident involved a data breach or data loss.

Cybersecurity startup Wib is looking to zero in on API security and has announced a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars and existing investors. 

Blocking API attacks in the network

API security products were generally developed before API use expanded to the extent seen today and “were based upon the idea that it is asking for failure to insist developers secure the code they write,’’ according to a recently released GigaOm research report. Noting that “most developers do not knowingly create insecure code,” if they inadvertently develop code with vulnerabilities, it is likely because they are unaware of what vulnerabilities an API might suffer from. 

“Once API security was in use, though,” the report said, “IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.”

The idea that it’s more effective to block some attacks in the network – which includes data centers, cloud vendors and SaaS providers — before access to the API occurs, has spurred demand for products that can do this, the GigaOm report said.

Wib said its API security platform aims to provide complete visibility across the entire API landscape, from code to production, helping unify software developers, cyber defenders, and CIOs around a single holistic view of their complete API domain. 

The platform’s capabilities include real-time inspection, management, and control at every stage of the API lifecycle to automate inventory and API change management, according to the company. Wib was designed to identify rogue, zombie, and shadow APIs and analyze business risk and impact, to help organizations reduce and harden their API attack surface. 

APIs have moved into the spotlight in the past couple of years, said Gil Don, CEO and co-founder of Wib. “Organizations are using them as the basis of a new generation of complex applications, underpinning their move to competitive and agile digital business models,’’ Don told VentureBeat. 

A whole new category of cyberthreats

APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions, he said. But APIs have given rise “to a whole new category of cybersecurity threats that explicitly targets them as a primary attack vector. Web API traffic and attacks are growing in volume and severity.” 

Over half of APIs are invisible to business IT and security teams, he maintained. “These unknown, unmanaged, and unsecured APIs are creating massive blind spots for CIOs that expose critical business logic vulnerabilities and increase risk,’’ Don said. 

For example, API attacks can result in account takeovers, personal data theft, and automated content scraping. Consequently, there are now API native systems taking on the legacy brands to detect and mitigate them, Don said. 

They include Noname Security, Salt Security, Cequance Security, APIsec, and 42Crunch, which all take very different approaches to address the problem, according to Don.

Traditional and legacy web security approaches, like WAFs and API gateways, were never designed to protect against modern logic-based vulnerabilities, he added. “The Wib platform has been purposely built for an API-driven world, creating a new category of API native security.”

The GigaOm report called out Wib for its API source code scanning and analysis “with an eye toward API weaknesses.” Further, it said Wib’s platform “provides automatic API documentation to create up-to-date documentation, as well as snapshots of changes to APIs and their risks every time they see a commit to code.”

Wib said the investment will be used to enhance Wib’s holistic API security platform and accelerate international growth as it expands operations across the Americas, UK and EMEA.