The Problem of API Security and How To Fix It

Driven by digital transformation, organisations are rapidly adopting API gateways. Over 90% are using or evaluating an API gateway and 85% have an API management program in place specifically to increase collaboration and reuse – and with good reason, as API gateways are foundational for success. 

A hugely valuable tool for businesses in every sector, APIs promote collaboration and partnership, and enable DevOps teams to free themselves from restrictive legacy architecture models in favour of a ‘mashup mentality’. Over half (45%) of companies use API gateways to ensure “service reliability” – at large enterprises, this increases to 59%.

However, Gartner reports roughly 50% of all APIs in customer organisations are unmanaged. A major blind spot and a huge obstacle for security teams who are struggling as the expansion of highly distributed compute environments are vastly outpacing the ability to secure them. With European Cybersecurity Month upon us, the time is ripe for CISOs to tackle the challenges associated with APIs, and successfully secure them.

API gateways: Behind the hype

Although API traffic is growing exponentially, adoption is by far outpacing security. In 2017, Gartner predicted APIs as the number one attack vector by 2022 – a prediction which was revised in late 2021 as the landscape exploded far beyond expectations. 

As a result, the modern enterprise is starting to change; 85% of organisations are now working to update their apps to microservices-centric, API-based environments. Businesses now expect microservices to become more portable and scalable than they ever have before. This evolution is putting architecture at risk and materially changing what our attack surfaces look like. To improve security and visibility across API and mesh architectures, organisations are turning to governance tools, such as modern API gateways, that enable policies to be enforced consistently. 

Seamlessly integrating with DevOps/GitOps workflows, modern API gateways enable developers and operators to use declarative CRDs (Custom Resource Definition), usually as part of a DevOps/GitOps process, to manage traffic, implement security policy, and configure observability. In addition, requirements for dynamic updates without restarts, canary deployments, and federated configurations are natively part of the product. DevOps teams can now deploy and manage an API gateway, often in concert with a service mesh, to programmatically manage application networking eliminating the need to separately access and manage individual resources and services. 

Exploiting APIs’ glaring insecurities

API and endpoint development is rapid and iterative in nature, meaning that code is routinely updated several times a week, frequently multiple times per day – manual API security testing is, therefore, a difficult task. With the adoption of APIs accelerating, security is somewhat lagging behind. 

In addition to this, traditional defences can’t protect businesses from this new attack vector. API attacks tend to be logic-based for which traditional defences just aren’t a match. For example, rules-based systems like WAFs (Web Application Firewalls), gateways monitoring traditional threats, and legacy code scanning systems that cannot chain together paths used in logic-based attacks, are unable to protect against this new attack vector.

A prime example of this is the removal of user records from the Facebook mobile app. Tens of millions of data were taken and the attacker didn’t even need to crack encryption keys, hack a password, or attempt any SQL injection. The assailant made use of the API logic. This wasn’t really a ‘hack’, more an exploitation of an API.

With around half of all APIs in customer organisations unmanaged this is a fairly new, but widespread, problem. Just 11% of organisations have a full-blown API security program and things are changing so quickly that Gartner modified its reference architecture to include API security as a dedicated layer in the stack.

Fixing vulnerabilities with visibility, analysis and simulation

Thankfully, there are a variety of ways to combat the API security problem:

• Improving visibility across the stack: Critical to securing APIs is gaining proper visibility of traffic, starting with analysis and inspection. By observing traffic, we can watch what’s going on within the stack to stay on top of vulnerabilities. But it’s not enough to just observe traffic, it’s vital to go beyond this into the code.
  
• Analysing code: Not only does code analysis enable standard testing for API vulnerabilities, but it also provides a useful lens through which to view APIs and endpoints from third parties that are being called from the code base. For larger enterprises with distributed teams, applying different lenses to data is key to closing security blind spots.
  
• Simulating attacks: How better to understand hidden vulnerabilities than to simulate an attack against your APIs and endpoints? Not only does it expose areas of security risk, but also helps to eliminate false positives. So your security or DevOps team don’t start issuing a flurry of remediation requests.

Utilising APIs securely and effectively

Microservices-based frameworks are the future for organisations, and application teams are looking to API gateways to mitigate complex authentication and authorisation procedures inherent to this new architecture. In this day and age, it would be tricky to find an organisation not using API gateways, and with the landscape constantly evolving, it pays off to think about the long-term plan before selecting an API gateway.

Modern API Gateways enable teams to secure web applications and offer additional defences to prevent API abuse and block common threats. Such Gateways can also be used to expose threats in legacy VMs and bare metal – particularly important for many of the core datacentre systems still relied upon by some of the largest companies.

The best way to ensure better security, innovation and app scalability is by leveraging a service mesh and an API gateway together. Service meshes initially emerged as a way to manage APIs at scale instead of relying on proxy software or an API gateway alone. Now, service mesh is fundamentally changing the way IT is managed – with nearly half of all companies using a service mesh to handle service-to-service communication, security and observability, and 38% evaluating a service mesh for use. API gateways based on Envoy make service mesh much easier to adopt – therefore providing the capability needed to manage the complex modern, API-centric business. Adopting Kubernetes and Istio, in particular, can make the challenge of digital transformation hugely simpler for the modern enterprise.