Category: API Security

The landscape of API security is evolving rapidly, driven by increasing complexities in IT environments, the proliferation of third-party APIs, and the rise of generative AI applications. These factors are expanding the attack surface and introducing new vulnerabilities that traditional security measures struggle to address. The 2025  State of API Security Report by Traceable AI highlights these challenges, revealing that 57% of organizations have suffered API-related breaches in the past two years, with many experiencing multiple incidents. This comprehensive study, based on insights from over 1,500 IT and cybersecurity professionals, underscores the urgent need for more robust, purpose-built API security solutions.

The new 2025 State of API Security Report provides a detailed analysis of the latest trends, challenges, and best practices in API security. It examines the increasing prevalence of bot attacks and fraud, the risks associated with third-party APIs, and the security implications of generative AI applications. The report also highlights the inadequacy of traditional security solutions like Web Application Firewalls (WAFs) and API gateways in protecting against these evolving threats. By offering a thorough overview of how organizations are addressing these critical security challenges, the report aims to equip security leaders with the knowledge needed to make informed decisions and prioritize their API security efforts effectively.

Key Findings:

  • API-Related Data Breaches Remain a Major Issue: Over  the past two years, 57% of organizations experienced an API-related data breach, with 73% of these facing three or more incidents. Alarmingly, 41% reported five or more breaches, highlighting a widespread failure in API defenses and underscoring the need for dedicated API security solutions.
  •  
  • Traditional Security Measures Fall Short for API Protection: Despite the use of various security tools, including legacy WAFs, CDNs, and Gateways, only 19% of organizations consider their defenses to be highly effective. Additionally, 53% acknowledge that traditional solutions like WAFs and WAAPs are inadequate for detecting or preventing fraud at the API level.
  •  
  • Generative AI Applications Introduce New Security Challenges:  A significant 65% of organizations believe that generative AI applications pose a serious to extreme risk to their APIs. Furthermore, 60% indicate that the additional API integrations required for these applications increase their attack surface, with the same percentage expressing concerns about sensitive data exposure and unauthorized access.
  •  
  • Bot Attacks and Fraud are Pervasive: More than half  (53%) of organizations have encountered one or more bot attacks targeting their APIs, and 44% identify bot mitigation as a primary challenge. Fraud is also a major concern, ranking as the second most common cause of API-related data breaches among respondents.
  •  
  • Third-Party APIs Present Significant Risks: Organizations  now utilize an average of 131 third-party APIs, a slight increase from last year’s 127. However, only 16% report a high capability to mitigate these external risks, leaving a substantial portion of their attack surface vulnerable.

Traceable’s annual research provides a comprehensive overview of the constantly changing API security landscape, highlighting key risks and emerging trends. By meticulously tracking these developments, the report hopes to guide security leaders with critical insights needed to make strategic decisions and address the most pressing security challenges. The goal is to ensure that as APIs remain integral to business operations, organizations are equipped with the knowledge to effectively safeguard their vital assets.

 

The post 2025 Global State of API Security Report – New Data Shows API Breaches Continue to Rise Due to Fraud, Bot Attacks, and GenAI Risks appeared first on Cybersecurity Insiders.

APIs are at the core of modern technology stacks, and power organizations’ digital operations. Facilitating seamless connections between customers and vital data and services, it is no surprise that API usage has, and continues to, accelerate. Given the amount of sensitive information transmitted through them, malicious actors have also taken a keen interest in APIs, devising new attack tactics to exploit them discreetly. API attacks have plagued organizations of all sizes in recent times, implicating some of the largest global brands such as Dell and T-Mobile. Attacks that have led to the theft of personable identifiable information (PII) of millions of customers.

The proliferation of generative AI (GenAI) technology also introduces another layer of complexity, enabling developers to create new APIs at scale within minutes. Organizations’ API ecosystems are growing exponentially, and security teams, as well as traditional protective solutions like API gateways and web application firewalls (WAFs) are ill equipped to keep pace with changing API dynamics. Generative AI also gives malicious actors a leg up, providing the means to launch more plausible attack campaigns in higher volumes and create entirely new AI-based attacks that can evade existing security parameters.

Our recent research report, the Salt Security State of API Security Report 2024, exposed many of the ongoing criticalchallenges that organizations face when trying to secure their API ecosystems. Most alarmingly, almost all (95%) of our survey respondents experienced security problems in production APIs within the past 12 months, with 23% suffering breaches due to API security inadequacies. This paints a clear picture –  traditional API security controls and mechanisms are no match for protecting APIs, given their complexity, varying use cases and unique behavioral attributes. In addition, the steep rise in API usage contributes to this problem, with nearly two-thirds (66%) managing more than 100 APIs. 

The research also uncovered that most API security programs remain predominantly immature, despite nearly half (46%) indicating that API security is a C-level discussion within their organization. Less than 10% of organizations have an advanced API security program, and over one-third (37%) of organizations with APIs running in production do not have an active API security strategy. While rising threat levels has forced organizations to expedite their API security efforts and adopt purpose-built solutions, an accompanying strategy is often an afterthought. This component is essential for ensuring APIs are protected across their complete lifecycle. 

A successful API security strategy starts deep and continuous discovery to find all APIs within the ecosystem.  This knowledge helps to establish a robust API security posture governance program that spans from initial design to deployment. API posture governance programs will help organizations gain complete assurance into their API landscape and acquire API asset intelligence. Intel which can then be leveraged to eliminate blind spots, and establish corporate-wide security standards and regulations across their entire API ecosystem. Posture governance provides the foundation for effective threat protection. API attacks are predominantly logic-based, so API behavioral anomaly detection is difficult and requires a substantial volume of data and cloud compute power to identify anomalous behavior accurately. 

An API posture governance program provides organizations with the necessary context and API intelligence to establish and maintain a robust security baseline. This comprehensive understanding allows security teams to proactively identify and mitigate potential risks, ensuring that APIs adhere to established standards and best practices throughout their lifecycle. By continuously monitoring and assessing API configurations, and vulnerabilities, organizations can effectively reduce their attack surface and minimize the likelihood of a security incident.. While only 10% of organizations currently have an API posture governance strategy in place, according to our research, many organizations acknowledge its importance, and nearly half (47%) plan to implement such a strategy within the next 12 months.

Protecting APIs requires organizations to take this proactive approach. While implementing purpose-built solutions that can detect malicious actors and behavioral anomalies is crucial, it must also be accompanied with ongoing posture governance initiatives that improve overall API security posture. These initiatives will prevent cyber criminals from evading an organization’s perimeter in the first instance and create stronger, more compliant API ecosystems. 

 

The post The Fundamentals to API Security Success appeared first on Cybersecurity Insiders.

  • FireTail announces a free version of its enterprise-level API security tools, making them accessible to developers and organizations of all sizes.
  • FireTail’s unique combination of open-source code libraries, inline API call evaluation, security posture management, and centralized audit trails helps eliminate vulnerabilities and protect APIs in real-time.
  • The free plan covers up to 5 APIs, includes 1M API call logs per month, offers 7 days of data retention, and provides clear developer support.

FireTail, a disruptor in API security, unveils free access for all to its cutting-edge API security platform. This initiative opens the door for developers and organizations of any size to access enterprise-level API security tools. 

Today, over 80% of all internet traffic is computer-to-computer communication via APIs. Every mobile app, IoT device, and most modern software applications use APIs, creating a broad attack surface for potential threats. FireTail’s hybrid approach to API security blends open-source code libraries with a feature-packed cloud platform and equips businesses with a unique suite of tools to eliminate API vulnerabilities and provide robust runtime API protection. 

“API security is essential for modern applications, and every developer and tech team should have access to effective security tools,” said Jeremy Snyder, CEO and Co-Founder of FireTail. “Security through obscurity is no longer a viable approach. We’re on a mission to secure all of the world’s APIs and our new free plan ensures ongoing access to an API security platform that delivers genuine insight into the most pressing attack vectors – design flaws in APIs. It’s perfect for smaller organizations striving for stronger API protection, and a great way for individuals or teams within larger organizations to get started.”Riley Priddle, Co-Founder and CTO at FireTail, added, “We’re excited to help organizations of all sizes to better protect their APIs. We want FireTail to become the de facto standard when it comes to API security. Just because you have a small number of APIs, it doesn’t mean they aren’t critical. We want everyone to have access to the best, enterprise-level API security tools. That’s why we offer both this free tier, as well as our open source libraries.”

For developers and small to medium-sized organizations needing to secure up to 5 APIs, FireTail’s free tier includes comprehensive API security features such as discovery, inventory, assessment, detection and response, and inline runtime protection. Key features include:

  • Protection for up to 5 APIs
  • 1M API calls per month
  • 7 days of logging retention

Thomas Martin, Founder at NephoSec, shared “We’ve been working with FireTail from the outset as both a customer and a distribution partner. Having proven that the platform works for even the largest enterprises with the most complex API security requirements, it’s great to see the team opening that technology up to everyone. This will enable us to solve API security challenges for organizations of all shapes and sizes.”

To access the FireTail API security platform, users can visit https://www.firetail.app or join the team on Tuesday, July 2nd for an in-depth look at what FireTail’s free tier can do.

About FireTail

FireTail allows customers to solve all the most critical problems facing APIs today with a hybrid approach, bringing together cloud, application and code with full blocking capabilities to solve the root causes of API data breaches – flaws at the application and business logic layer in authentication, authorization and data handling. Headquartered in McLean, VA, with offices in Dublin, Ireland, and Helsinki, Finland, FireTail is backed by leading investors, including Paladin Capital, Zscaler, General Advance, and SecureOctane. Users can learn more at https://www.firetail.io.

The post FireTail Unveils Free Access for All to Cutting-Edge API Security Platform appeared first on Cybersecurity Insiders.

Traceable AI just released a report on the escalating concerns surrounding API security within the financial services sector. The comprehensive study, which canvassed insights from over 150 cybersecurity experts across the United States, reveals a landscape fraught with vulnerabilities and a pressing need for robust security protocols.

Financial Sector at a Regulatory Crossroads: API Security in the Spotlight 

The report paints a stark picture of the financial industry grappling with the complexities of API integration. With a staggering 82% of institutions voicing concerns over regulatory compliance, including adherence to FFIEC, OCC, CFPB, and PCI-DSS standards, the urgency for stringent API security measures has never been more apparent.

Visibility and Context: The Achilles’ Heel of API Security 

A concerning 64% of respondents admit to a lack of clarity in correlating API activities with user interactions and data trajectories, significantly impeding their threat detection capabilities. This blind spot in understanding the intricate dance of APIs, user behavior, and data movement is a glaring vulnerability in the sector’s defense strategy.

APIs: The Conduits to Sensitive Data 

APIs have become the linchpins of financial operations, routinely handling sensitive information such as personal identification (60%), authentication details (60%), payment card data (56%), and geolocation insights (55%). This makes them attractive targets for cyber adversaries, underscoring the need for fortified security measures.

The Triad of API Security Challenges 

The trifecta of unauthorized access (35%), data exfiltration (33%), and vulnerability detection (30%) constitutes the primary security hurdles for financial entities. These challenges underscore the sector’s struggle to safeguard against the unauthorized exploitation of API gateways.

Fraudulent Activities Dominate API Breach Landscape 

A significant 42% of institutions that have suffered API breaches attribute the incidents to fraudulent activities, highlighting a pervasive issue of abuse and misuse. Moreover, a mere 15% express high confidence in their ability to thwart API-centric fraud, indicating a critical gap in current security postures.

The Ripple Effects of API Breaches 

The repercussions of API breaches extend far beyond immediate data compromise. Brand integrity and customer trust, both affected in 41% of cases, emerge as the top casualties, followed closely by financial repercussions (36%) and client turnover (35%).

The Traceable AI report underscores the pressing need for heightened API security within the financial sector, highlighting an urgent call to action for institutions to address their vulnerabilities. As APIs become integral to financial operations, the sector faces significant challenges, including regulatory compliance, visibility issues, and safeguarding sensitive data.

The post Navigating the API Threat Landscape in Finance appeared first on Cybersecurity Insiders.

[By Doug Dooley, COO, Data Theorem]

The rise of OpenAI and new changes with ChatGPT-4 Turbo will help to revolutionize the way financial services organizations take advantage of their data, enabling them to scale their analysis rapidly and stay agile in a fast-paced digital environment. However, the number of enterprise Application Programming Interfaces (APIs) to connect and share data with GenAI system like OpenAI has also brought new risks and vulnerabilities to the forefront. With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data.

APIs have become the backbone of modern digital ecosystems, allowing financial organizations to streamline operations, automate processes, and provide seamless user experiences. They are the data transporters for all cloud-based applications and services. APIs act as intermediaries between applications, enabling them to communicate with each other and exchange data. They also provide access to critical services and functionality in your cloud-based applications. If an attacker gains access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, financial losses, compliance violations, and reputational damage. For hackers looking to have the best return on investment (ROI) of their time and energy for exploiting and exfiltrating data, APIs are one of the best targets available today.

It’s clear these same APIs that enable innovation, revenue, and profits also create new avenues for attackers to achieve successful data breaches for their own gains. As the number of APIs in use grows, so does the attack surface of a financial organization. According to an industry study by Enterprise Strategy Group (ESG) titled “Securing the API Attack Surface”, the majority (75%) of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the dynamic nature of API attack surfaces.

API security is critical because APIs are often the important link in the security chain of modern applications. Developers often prioritize speed, features, functionality, and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications. As evidence, the same ESG study also revealed most all (92%) organizations have experienced at least one security incident related to insecure APIs in the past 12 months, while the majority of organizations (57%) have experienced multiple security incidents related to insecure APIs during the past year.

One of the biggest challenges for banks and other financial service organizations is protecting their APIs and proprietary data from OpenAI and other generative AI tools. With ChatGPT 4-Turbo, the technical and cost barriers for experimentation on APIs and data have substantially lowered. Further, the new support for API keys, OAuth 2.0 workflow, and Microsoft Azure Active Directory opens up enterprise data like never before. As a result, the popularity and growth of Enterprise AI assistants enabled by tools such as OpenAI’s Playground and the new “My ChatGPT” creator will invite an onslaught of new users attempting to gain greater insights on proprietary banking data. The intention for nearly all these new Enterprise AI experiments will be to help customers get better financial services and insights, but as the popularity and usage of Enterprise AI continue to surge, financial institutions will find themselves facing a unique dilemma. On one hand, the potential benefits of harnessing AI-powered tools like OpenAI’s Playground for automating tasks, enhancing customer experiences, and increasing their clients’ wealth are enticing. However, this newfound capability also opens the door to unforeseen vulnerabilities, as these AI agents access and interact with sensitive financial APIs and private data sources.

The advent of Enterprise AI assistants introduces a host of security concerns for the financial sector. One immediate concern is the potential for unintended data exposure or leakage as AI systems learn and adapt to their environment. While AI-driven tools aim to streamline processes and improve decision-making, they also have the capacity to inadvertently access or expose critical financial data, likely violating many privacy laws such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and California Consumer Privacy Act (CCPA) to name a few. Financial institutions must carefully monitor and regulate these interactions to prevent unauthorized access or misuse of sensitive information.

Furthermore, financial service companies must grapple with the challenge of securing their APIs against malicious actors who may exploit AI-powered systems for nefarious purposes. The integration of AI agents into financial processes creates an additional attack surface that can be targeted by cybercriminals seeking to breach systems, steal valuable data, or disrupt operations. Robust security measures and continuous monitoring are essential to mitigate these risks and safeguard against potential breaches.

As Enterprise AI assistants become increasingly prevalent within the financial services sector, institutions must strike a delicate balance between harnessing the potential of AI for innovation and ensuring the highest standards of data protection and cybersecurity. A proactive and comprehensive approach to API security, data governance, and AI-assisted decision-making is paramount to navigating these new challenges successfully while maintaining the trust of customers and regulatory bodies.

When it comes to securing APIs and reducing attack surfaces to help protect from ChatGPT threats, Cloud Native Application Protection Platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various API attacks threats. CNAPPs do three primary jobs: (1) artifact scanning in pre-production; (2) cloud configuration and posture management scanning; (3) run-time observability and dynamic analysis of applications and APIs, especially in production environments. With CNAPP scanning pre-production and production environments, an inventory list of all APIs and software assets is generated. If the dynamically generated inventory of cloud assets has APIs connected to them, ChatGPT, Open AI, and other AI and ML libraries can be discovered. As a result, CNAPPs help to identify these potentially dangerous libraries connected to Enterprise APIs and help to add layers of protection to prevent them from causing unauthorized exposure from API attack surfaces to protect your organization’s reputation and clients’ private data, and build trust with your customers.

Ultimately, the key to managing the risks posed by expanding API attack surfaces with ChatGPT is to take a proactive approach to API management and security. When it comes to cloud security, CNAPP is well suited for financial organizations with cloud-native applications, microservices, and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for protecting expanding API attack surfaces, including those caused by ChatGPT.

The post Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations’ Growing API Attack Surface appeared first on Cybersecurity Insiders.

[By Tyler Shields, Vice President at Traceable AI]

As we step into 2024, the landscape of API security is at a critical juncture. The previous year witnessed a significant escalation in API-related breaches, impacting diverse organizations and bringing to light the critical vulnerabilities in API security. This surge not only accentuated the essential role of APIs in our digital ecosystem but also catalyzed a much-needed shift in focus towards their security. And with regulatory bodies like the FFIEC now acknowledging APIs as distinct attack surfaces, the stage is set for a deeper understanding and reinforcement of API defenses.

Looking ahead, the key question is: what new trends and challenges will define the realm of API security in 2024?

The Explosive Growth of APIs: Brace for Impact

As we approach 2024, the digital landscape is poised to witness an exponential growth in API usage, a trend that signifies a profound transformation in how digital services are deployed and interconnected. This surge is not merely a quantitative increase but a qualitative shift, reflecting the deeper integration of digital technologies in organizational operations. The transition to cloud computing, still far from completion, is a key driver of this expansion. As organizations continue moving applications and workloads into the cloud, we’re seeing a consequential shift in infrastructure. This shift, often referred to as the atomization of applications, involves breaking down applications into smaller, more manageable components, each potentially interfacing through its own API.

This next phase of cloud transformation is expected to dramatically increase the number of APIs, as these atomized applications require extensive intercommunication. While this growth facilitates greater flexibility and scalability in digital operations, it also introduces the challenge of API sprawl, where organizations struggle to manage the sheer volume of APIs within their ecosystems. However, the primary focus for 2024 remains on the sheer scale of API integration and deployment. As APIs become more central to organizational infrastructure, they create new opportunities for innovation and efficiency, but also raise critical concerns in security and management. The ability to effectively harness this growth, balancing the benefits with the complexities it introduces, will be a defining factor in the success of digital strategies in the coming year.

Emerging Threats in Data Quantity and Storage, and Role of AI

As we navigate the digital transformation, a critical challenge emerges in the realm of data quantity and storage, exacerbated by the exponential growth of the communication patterns. This issue transcends the traditional cybersecurity approach of merely blocking attackers or direct attacks against APIs. The real challenge lies in managing the colossal volumes of data amassed from extensive API interactions, now centralized in vast digital repositories. The pivotal question is: how do we ensure that this data is accessed exclusively by appropriate, authenticated, and authorized personnel? Moreover, how do we prevent sensitive data from being exposed to unauthorized individuals or systems?

This dilemma is not just about securing data; it’s about redefining how we perceive and handle cybersecurity. The complexity is magnified when we consider the role of AI in this landscape. AI models, which are increasingly integral to our digital ecosystem, require training on large data sets. The volume of data used for this purpose has skyrocketed, with computational capacities doubling every six months since 2010. In this context, AI becomes more than a technological tool; it represents a new paradigm of API interaction, where AI systems, accessing data via APIs, pose complex questions and analyses.

This scenario presents a multifaceted challenge. On one hand, we have the ‘data in’ aspect, involving the influx of information into these systems. On the other, there’s the ‘data out’ component, where the output and its implications, particularly regarding privacy and fraud, become a concern. For instance, the potential for AI to ask questions or rephrase queries in ways that might inadvertently breach privacy or security protocols illustrates the intricate nature of this challenge.

Addressing these issues requires a nuanced approach to authentication, authorization, and privacy. The complexity of ensuring the security and integrity of data, both incoming and outgoing, in these vast, interconnected systems cannot be overstated. It’s a formidable task, yet not insurmountable. API security technologies stand at the forefront of this challenge, poised to develop solutions that can effectively navigate and secure this intricate web of data interactions. As we look towards the next three years, the evolution of these technologies will be pivotal in shaping a secure digital future, where data security is not just a feature but a foundational aspect of our cybersecurity infrastructure.

2024: The Year of API Breaches

This prediction isn’t unfounded, considering the recent statistics revealing that 60% of organizations reported an API-related data breach in the past two years, with a staggering 74% of these involving at least three API-related incidents.

This trend underscores a critical reality: APIs have become the universal attack vector in the digital world. Beyond the traditional realms of social engineering and cloud misconfiguration attacks, which themselves often leverage APIs, it’s becoming increasingly challenging to identify cyber attacks that don’t have their roots in API vulnerabilities.

APIs are rapidly evolving into the superhighway of digital communication within our infrastructure. As their usage broadens and becomes more complex, the necessity for robust API security measures escalates. In 2024, we anticipate that API security will no longer be an afterthought but a fundamental standard in cybersecurity strategies, pivotal in preventing the next wave of major digital breaches.

Contextual Intelligence – The Keystone of API Security in 2024

In 2024, a key driver in enhancing API security will be the comprehensive collection and analysis of data to create context. This approach marks a significant evolution in our security techniques, shifting from traditional perimeter-based defenses to a more nuanced understanding of each interaction within the API ecosystem. The focus is on securing the vast quantities of data that flow in and out through APIs by meticulously gathering and analyzing the surrounding data of each request to build a rich context that allows deeper analysis. This involves a detailed examination of the APIs themselves – their structure, expected data flow, and typical usage patterns. It also includes identifying what constitutes normal and abnormal behaviors within these interactions. By aggregating this information into a contextual dataset, we can apply advanced AI analysis to discern broader results and subtle anomalies.

This shift in strategy represents a move from basic, binary security queries – such as “Are you authenticated?” or “Is this connection secure?” – to more complex, AI-driven interrogations that mimic human analytical skills. Questions like “Does this data transaction contain any information that should not be leaked?” or “Is this pattern of API use indicative of a potential security threat?” become central to our security protocols. This level of inquiry requires a deep understanding of API interactions, far beyond surface-level authentication checks.

The future of API security, therefore, hinges on the ability of security technologies to amass and intelligently analyze the richest and most comprehensive sets of contextual data. The technologies that excel in capturing this depth and breadth of information will be best equipped to navigate the sophisticated security landscape of 2024, ensuring robust protection against increasingly complex threats.

The Bottom Line

The trends we’ve identified call for a proactive reimagining of cybersecurity strategies, where the focus shifts from reactive defense to anticipatory resilience. This evolution demands more than just technological upgrades; it requires a paradigm shift in our understanding of digital ecosystems. The integration of AI, the management of sprawling APIs, and the safeguarding of vast data repositories are not isolated tasks but parts of a cohesive strategy to fortify our digital infrastructures. In this context, the insights from 2024 serve as a beacon, guiding us towards a future where cybersecurity is dynamic, intelligent, and integral to the fabric of our digital existence.

As we navigate these waters, the real measure of success will be our ability to not just defend against emerging threats but to adapt and thrive in an ever-evolving digital landscape.

The post API Security in 2024: Navigating New Threats and Trends appeared first on Cybersecurity Insiders.

[By Andy Grolnick, CEO, Graylog]

In the past couple of years, there has been explosive growth in API usage as API-related solutions have enabled seamless connectivity and interoperability between systems. From facilitating data exchange to cross-platform functionality, companies with an API-first approach have more performant financial outcomes. According to Postman’s 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. Among this group, 43% specifically mentioned that APIs account for over a quarter of their company’s total revenue. Moreover, the rise of the API economy has spurred organisations to open up their services, fostering collaboration, and enabling the creation of new products and services through third-party integrations.

As the popularity of APIs has grown, so have the security risks they pose to organisations. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in the past 12 months. APIs hold valuable data such as personal user data, financial details, or business-critical information. In sectors such as financial services, APIs can be exploited to manipulate financial transactions or steal credentials for direct financial gain. What makes API attacks increasingly concerning is their low barrier to entry. APIs have publicly accessible documentation. Exploiting vulnerabilities is not a complicated task for hackers, granting them unauthorised entry to manipulate endpoints, leading to potential data breaches and gaining control over systems.

That is why it’s strange that for many CISOs, APIs remain a critically under-protected attack surface as API security falls into no-man’s land. API Security is usually the remit of security teams, but the APIs themselves are developed by product teams who tend to prioritise speed and time-to-market. Hence security teams have relied on developers to address issues as the products are being built. 

Unfortunately, we anticipate that this achilles heel will be exploited by bad actors in 2024. It is important that CISOs and their teams understand their organisation’s API risk posture when developing an API security strategy for the next 12 months. It will be up to CISOs to drive initiatives between security and product teams to ensure visibility into APIs and devise strategies to mitigate potential threats. 

All is not lost. Enterprises are now waking up to the dire need for API security, and CISOs have a significant role to play in safeguarding their environment.  

We delve into the top challenges we expect CISO to face in 2024 in securing APIs and how they can overcome these growing concerns to bolster their organisations’ security posture.

Authenticated Attacks

Protecting against API threats will be a major challenge CISOs should be ready to face as traditional, perimeter-based solutions are ineffective at identifying such threats.

Hackers are finding innovative ways to gain authenticated user access and with low-cost APIs, hackers can pose as real customers or partners. Additionally, as nation-state-backed cybercriminal groups are on the rise, criminals have more access to resources to pay and become customers. Insiders will deliberately exploit their authorised access to steal sensitive data, manipulate API endpoints, or perform unauthorised actions, leading to data breaches, service disruptions, or system compromise. 

As WAFs only monitor HTTP requests, new perimeter-based API security solutions tracking user requests, not responses, do not provide full-fidelity of the API traffic. The actions of malicious customers or partners will appear legitimate because they come from authenticated users. Securing APIs in a modern threat landscape requires a threat detection and incident response (TDIR) approach that prioritises inside-the-perimeter defences to ensure even if malicious actors gain access, the threat is rapidly identified, and privileges are revoked. 

CISOs will need to ensure their API security strategy takes a multi-layered approach that supplements perimeter defences with application-level security. Full fidelity of APIs is necessary to isolate unknown attacks as hackers find innovative ways to remain undetected by traditional solutions.

Executive buy-in

The API security market is in its infancy as the threat of API attacks has become more accentuated over the past year, which means there is a significant education gap when it comes to API security. The truth is that most organisations don’t have full visibility into their API environment or their API risk posture. API inventories are changing at an exceptionally rapid rate which makes tracking changes and risks a challenge.  

This makes it hard to communicate to budget holders and other C-suite members why they should invest in an API security solution. Getting company buy-in for API security is just as big a challenge for CISOs as defending APIs from attackers.

CISOs play a crucial role in ensuring comprehensive visibility within their API environment to identify the extent of API exposure in real time promptly. This visibility is pivotal in aligning security objectives with business goals. 

By having a clear view of their APIs in real time, CISOs can accurately measure the potential business risks associated with insecure APIs. An API attack can significantly impact a company’s financial health, causing reputational damage, and revenue loss due to disrupted services or the necessity to pay for data access restoration. Having real-time API visibility enables CISOs to quantify risks and strategise security measures effectively, understanding the direct implications on the company’s bottom line.

Finding the right security tool for compliance 

General Data Protection Regulation (GDPR), The Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA) are just some of the regulations organisations must adhere to, to protect personal data from being exposed through APIs. As organisations conduct international business, they must ensure their API security meets multiple regional regulatory frameworks.

When it comes to APIs, third-party risks are more acute due to the sensitive nature of the information APIs handle. SaaS security solutions require a lengthy and complicated process to be compliant, as data has to be filtered, redacted, and anonymised before it can be uploaded into a cloud environment. Organisations in sectors such as financial services, are particularly wary of sharing data with third parties of the potential for this data to be misused. 

However, API endpoints are growing at a scale we have never seen before, and traditional on-prem solutions do not have the capacity to process such a massive amount of data. The challenge for CISOs will be to find security tools that don’t make compliance a hindrance to efficiency and operations. An option is to prioritise on-premise tools that eliminate the need to process data before it can be analysed. These tools can also be up and running within days, as there is no need to ensure data processing meets third-party risk requirements. 

Shifting to a proactive approach to securing APIs

With threats of AI-powered attacks and the increasing sophistication of hackers, proactive threat hunting has become central to all TDIR strategies. CISOs will have to rethink their TDIR strategies to incorporate real-time API traffic scanning to ensure early detection of API threats. Relying on guides such as the OWASP Top 10 API Security Risks is no longer enough, as attackers can easily evade known threat detection. CISOs should build their API security strategies on full observability of API traffic. A proactive approach to APIs will ensure that even sophisticated, or insider threats are flagged as malicious traffic before they can disrupt application behaviours. 

In the evolving landscape of API security in 2024, CISOs face a myriad of challenges. The exponential growth of APIs brings financial benefits but also heightens security risks, especially concerning insider threats and evolving attack methodologies. Addressing these challenges demands a multi-layered security approach, inside-the-perimeter defences, and proactive strategies to detect and respond swiftly to potential breaches. Securing executive buy-in, meeting compliance standards, and balancing security with operational efficiency are critical hurdles. Prioritising real-time API visibility and adopting proactive measures against evolving threats will be pivotal for CISOs in fortifying API security and safeguarding organisational integrity in the years ahead.

The post What do CISOs need to know about API security in 2024? appeared first on Cybersecurity Insiders.

By Richard Bird, Chief Security Officer at Traceable

In the ever-evolving landscape of cybersecurity, it’s concerning to witness a persistent rise in breachesThe underlying issue? The consistent sidelining of API security. Despite the transformative role APIs play in modern digital infrastructures, they remain an underestimated component in many security strategies. This oversight isn’t merely a lapse; it’s a gaping vulnerability. Without vigilant monitoring and robust protection, APIs become inviting gateways for adversaries seeking unauthorized access.

In 2022, the digital realm witnessed a stark reminder of this vulnerability. Twitter, rebranded as X, succumbed to an API breach, leading to the exposure of data for 5.4 million users. This incident wasn’t an isolated one. Optus, a prominent telecom entity, encountered a ransomware attack initiated through an API vulnerability. The aftermath of their decision not to pay the ransom was the compromise of data for 10 million individuals, both past and present customers.

As we navigate the latter half of 2023, the horizon remains clouded with challenges. For a brighter, more secure future, it’s imperative that we introspect, drawing insights from past API breaches.

To chart a path forward, we must dissect recent API breaches, identifying critical areas of focus that will fortify businesses against future threats.

JumpCloud

Breach Overview: JumpCloud, an enterprise software company, faced a sophisticated attack from nation-state hackers. These adversaries exploited vulnerabilities to access the system, leading JumpCloud to reset customer API keys as a precautionary measure. The breach raised concerns about the security measures in place, especially when dealing with nation-state actors who possess advanced capabilities.

Lesson: Third-party solution providers can be a significant risk vector, especially when they’re targeted by highly skilled adversaries.

Prevention: It’s crucial to conduct thorough security assessments of third-party vendors and ensure they adhere to stringent security standards. Additionally, monitoring and real-time threat detection can help in early identification of such sophisticated attacks.

T-Mobile

Breach Overview: In January 2023, T-Mobile found itself at the center of a cybersecurity storm, disclosing a data breach that impacted approximately 37 million customers. A malicious actor exploited a specific API, gaining unauthorized access. Alarmingly, this breach came on the heels of a previous incident, despite T-Mobile’s substantial investments in bolstering their cybersecurity defenses. The intruder maintained access for over six weeks, starting from late November 2022, before the breach was detected and addressed.

Lesson: Even with recent security enhancements, organizations can remain vulnerable, especially when they lack comprehensive visibility and control over their API inventory.

Prevention: Organizations should implement continuous API monitoring, adopt zero-trust policies for sensitive data access, and employ advanced threat detection mechanisms that can discern between legitimate and malicious API traffic patterns.

Cisco

Breach Overview: Cisco, a tech giant, identified a critical vulnerability in its SD-WAN vManage software. This vulnerability allowed unauthorized API access, enabling attackers to send crafted API requests, potentially retrieving or manipulating information. The issue was not just about unauthorized access but also the potential manipulation of network configurations.

Lesson: Even industry leaders can have lapses, emphasizing the importance of continuous vigilance.

Prevention: Strict access controls for APIare essential. Organizations should also invest in automated vulnerability scanning tools and ensure that security patches are applied promptly.

Razer

Breach Overview: Razer, a renowned tech company, faced two significant security incidents. The recent one involved a potential data leak after claims of stolen source code and encryption keys. Previously, in 2020, a misconfiguration by an IT vendor left sensitive data exposed, highlighting the risks associated with third-party integrations.

Lesson: Continuous oversight and third-party integrations can introduce vulnerabilities, making it essential to have a robust security review mechanism.

Prevention: Regular security audits and third-party risk assessments are crucial. All configurations, especially those by external parties, should undergo rigorous security checks.

QuickBlox

Breach Overview: QuickBlox, a platform offering chat and video calling solutions, had critical vulnerabilities in its software development kit and APIs. These vulnerabilities could allow attackers to access and steal personal data of millions of users. The breach underscored the challenges of securing modern software architectures, especially when theare widely used across industries.

Lesson: As software architectures evolve, they can introduce new vulnerabilities if not designed with a security-first mindset.

Prevention: A security-first approach in software development is essential. Regular updates, patches, and security training for developers can help in minimizing such vulnerabilities.

The Bottom Line? Holistic Data Security is Non-Negotiable

APIare the universal attack vector and demand our undivided attention. Their integral role in bridging various data layers makes them both invaluable and, if overlooked, perilous. A cybersecurity strategy that sidelines API security is akin to building a fortress but leaving the main gate unguarded. As we architect our future security blueprints, it’s essential to adopt a holistic approach, encompassing every facet of our digital infrastructure. And while innovation propels us forward, the wisdom gleaned from past breaches must serve as our guiding beacon, ensuring that history’s pitfalls aren’t repeated.

The post API Breaches Are Rising: To Secure the Future, We Need to Learn from the Past appeared first on Cybersecurity Insiders.

By Doug Dooley, COO, Data Theorem

The rise of cloud-native applications has revolutionized the way businesses operate, enabling them to scale rapidly and stay agile in a fast-paced digital environment. However, the increasing reliance on Application Programming Interfaces (APIs) to connect and share data between disparate systems has also brought new risks and vulnerabilities to the forefront. With every new API integration, the attack surface of an organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive data.

This article will attempt to shed some more light on:

  • API Attack Surfaces
  • Shadow APIs
  • Zombie APIs
  • API Protection

APIs have become the backbone of modern digital ecosystems, allowing organizations to streamline operations, automate processes, and provide seamless user experiences. They are the data transporters for all cloud-based applications and services. APIs act as intermediaries between applications, enabling them to communicate with each other and exchange data. They also provide access to critical services and functionality in your cloud-based applications. If an attacker gains access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, financial losses, and reputational damage. For hackers looking to have the best return on investment (ROI) of their time and energy for exploiting and exfiltrating data, APIs are one of the best targets available today.

It’s clear these same APIs that enable innovation, revenue, and profits also create new avenues for attackers to achieve successful data breaches for their own financial gains. As the number of APIs in use grows, so does the attack surface of an organization. According to a recent industry study by Enterprise Strategy Group (ESG) titled “Securing the API Attack Surface”, the majority (75%) of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the dynamic nature of API attack surfaces.

API security is critical because APIs are often the important link in the security chain of modern applications. Developers often prioritize speed, features, functionality, and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications. As evidence, the same ESG study also revealed most all (92%) organizations have experienced at least one security incident related to insecure APIs in the past 12 months, while the majority of organizations (57%) have experienced multiple security incidents related to insecure APIs during the past year.

One of the biggest challenges in protecting an API environment is the proliferation of Shadow APIs. Shadow APIs are APIs that are used by developers or business units without the knowledge or approval of IT security teams. These APIs can be created by anyone with the technical knowledge to build them, and because they are not managed by the IT department they are often not subject to the same security controls and governance policies as officially sanctioned APIs.

Shadow APIs lack clarity of priority, ownership, and security policy controls. They often have a business purpose such as supporting features in a mobile and web applications, but no one is sure whether these APIs are running in production or non-production, who the clear owners are, and which security policy controls should be applied to protect them from attack. For example, a developer may create an API to streamline a workflow, or a business unit may create an API to integrate a third-party application. However, when these APIs are not properly vetted, tested, and secured, they can pose a significant risk to the organization. Shadow APIs can introduce vulnerabilities, such as unsecured endpoints, weak authentication mechanisms, and insufficient access controls, which can be exploited by attackers to gain unauthorized access to sensitive data.

Another challenge facing organizations is the emergence of Zombie APIs. Zombie APIs are APIs that are no longer in use but are still active on the network and running in the cloud. These APIs can be left over from legacy systems, previous versions of the API, or retired applications; or they may have been created by developers who have since left the organization. Zombie APIs can be particularly dangerous because they may not be monitored or secured, making them vulnerable to exploitation.

While Zombie APIs do not have a clear business purpose, they consume resources, can add an expense for organizations, and create additional attack surface. For example, a Zombie API can be an older version of an API that is no longer connected to its original application but left in place for potential backward compatibility reasons. However, over time that legacy API is forgotten, yet its underlying resources (compute, storage, databases) that fuel the API’s operations are left running without proper oversight, maintenance, and security hardening. Attackers can use these APIs to gain unauthorized access to sensitive data, bypass security controls, and launch lateral movement attacks against other systems on the network. Zombie APIs can also be used to launch Server-Side Request Forgery (SSRF) or remote code execution (RCE) attacks, which can bring down entire systems and cause significant damage to an organization’s reputation as seen with the Capital One Breach and Log4shell global exploits, respectively.

To mitigate the risks posed by Shadow and Zombie APIs, organizations must take a proactive approach to API management and security. This includes developing a comprehensive API management strategy that includes security controls, active monitoring, and reporting capabilities.

One key aspect of API management is the establishment of a centralized API inventory catalog. This catalog should include all approved APIs, along with information about their functionality, usage, and security controls. This can help IT and security teams identify Shadow APIs and Zombie APIs, as well as track and monitor API usage to ensure compliance with governance policies.

Another important aspect of API management is the implementation of security controls. These may include encryption, access controls, authentication mechanisms, and threat detection and response capabilities. Security controls should be implemented at all layers of the API stack, from the application layer to the transport and infrastructure service layers, to ensure that APIs are protected against a wide range of attacks.

In addition, organizations should also implement scanning, observability, dynamic analysis and reporting capabilities to detect and respond to API-related threats. This may include real-time scanning of API usage, logging and run-time analysis of API activity, and alerting and reporting capabilities to notify IT and security teams of potential threats.

When it comes to securing APIs and reducing attack surfaces, Cloud Native Application Protection Platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various API attacks threats. CNAPPs do three primary jobs: (1) artifact scanning in pre-production; (2) cloud configuration and posture management scanning; (3) run-time observability and dynamic analysis of applications and APIs, especially in production environments. With CNAPP scanning pre-production and production environments, an inventory list of all APIs and software assets is generated. If the dynamically generated inventory of cloud assets has APIs connected to them, Shadow or Zombie APIs can be discovered. As a result, CNAPPs help to identify these dangerous classes of APIs and help to add layers of protection to prevent them from causing harm and exposure from vulnerable API attack surfaces.

Ultimately, the key to managing the risks posed by expanding API attack surfaces with Shadow and Zombie APIs is to take a proactive approach to API management and security. When it comes to cloud security, CNAPP is well suited for organizations with cloud-native applications, microservices, and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for protecting expanding API attack surfaces, including those caused by Shadow and Zombie APIs.

The post Shadow APIs and Zombie APIs are Common in Every Organizations’ Growing API Attack Surface appeared first on Cybersecurity Insiders.

In the world of cybersecurity, change is the only constant. This reality is once again affirmed in a recent interview with Andy Grolnick, the CEO of Graylog, a leading SIEM and log management solutions provider, who has shared some exciting news regarding the future of API security. Andy, who has been at the forefront of innovation in cybersecurity, announced Graylog had acquired Resurface.io’s API security solution that will be integrated with Graylog’s SIEM platform. With this acquisition, Graylog introduced a new product, Graylog API Security, focused on continuous API threat detection and incident response.

Why the Acquisition Matters

The acquisition of Resurface.io by Graylog signifies an important turning point in the field of API security. When Resurface.io was founded, the central thesis was that web and API security brought unique requirements necessitating purpose-built data systems. As Andy remarked, “Using solutions like Elastic or Splunk at scale for API monitoring is prohibitively complex and expensive. Using Hadoop or Kafka requires an army of security professionals to run at any scale.” Consequently, the acquisition is a strategic step towards addressing these challenges in an increasingly interconnected digital world and making API security affordable, integrated and automated.

Understanding the Importance of API Security

The digital world is becoming increasingly dependent on APIs, and with this reliance comes a new set of vulnerabilities and security risks. As Andy highlighted, “The stakes for API security in 2023 are terrifically high.” In fact, he revealed that “70% of API traffic is malicious,” and “half of APIs are unmanaged.” With this acquisition, there’s a sense of urgency to provide a robust, efficient, and scalable solution for API security.

Graylog API Security: A New Chapter in API Monitoring

Firewalls and gateways are no longer enough. Attackers can appear as users and penetrate the perimeter. Internal users and partners, for example, bypass firewalls and can directly access microservices without inspection. In order to address these concerns, Graylog API Security offers a comprehensive API monitoring and security solution. Like a “security analyst in-a-box,” Graylog API Security is built to automate API security by continuously scanning all API traffic at runtime, thus identifying and alerting on zero-day attacks and threats before they reach applications.

Graylog API Security captures complete request and response details, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence. Furthermore, its alert system works with common communication tools like Slack, Teams, Gchat, JIRA or via webhooks, thereby reducing alert fatigue.

With the advent of Graylog API Security, the vision of creating a safer, more secure API landscape is closer than ever. Users interested in getting an in-depth understanding of this new platform can attend the Graylog GO user conference scheduled for October 4-5. It’s clear that the Graylog and Resurface.io teams are excited to guide the community into a new era of robust API security.

Watch a Graylog product demo: https://youtu.be/ZimbvmShtv8

The post Reshaping the API Security Landscape: Graylog Acquires Resurface appeared first on Cybersecurity Insiders.