The Rising Risks and Opportunities in API Security

APIs are the digital fabric connecting companies, partners, and customers. But increased reliance on APIs also introduces new security risks. I recently spoke with Michelle McLean, VP of Marketing at API security provider Salt Security during Black Hat 2023 about the current challenges and future outlook for API security.

McLean says API awareness has grown due to high-profile breaches like the Optus leak in Australia. Such incidents underscore that APIs are an easy yet lucrative target. Attackers increasingly focus on APIs to steal valuable data, carry out fraud, and more.

At the same time, companies do more via APIs than ever before. The sensitive information and capabilities exposed by APIs continue to grow. And the nature of API attacks is evolving rapidly as hackers take advantage of new opportunities.

For developers, McLean emphasizes that API security should not fall solely on their shoulders. It’s unrealistic to expect developers to fully secure APIs while also pushing out features and new capabilities quickly. However, developers do need to understand how API attacks have changed. Resources like the OWASP API Top 10 outline many of today’s most common API risks.

For security teams, McLean advises treating API security as a distinct discipline with a dedicated focus. Trying to lump it in with other security efforts will likely leave gaps. Organizations need robust API monitoring and analytics to detect anomalous activity based on API traffic patterns and payloads.

Machine learning and AI are absolutely essential for making sense of API activity at the cloud scale. Correlating events across API calls to understand the intent is key - not just spotting a single anomaly in isolation. Over time, refined AI models can take on more workload as they build confidence through exposure to different attacks.

An area McLean sees increasing API misuse is competitor price scraping. Attackers scrape pricing data via APIs and then exploit discrepancies across regions or retailers. Financial services is another sector using API analytics for fraud detection by analyzing transaction patterns.

Overall, McLean observes that poor API security is an emerging board-level risk. Recent incidents led to new regulations in Australia. She expects to reach soon an inflection point where enterprises consider API security indispensable, much like identity management.

For developers, focus on building securely without trying to own the entire API security function. Learn how API attacks differ from traditional web app exploits. For security, leaders take API protection seriously with dedicated resources and AI-enhanced analytics. Avoid becoming the following API breach headline when solutions are readily available.

Key Takeaways

Here are some of the key API security takeaways for developers and security professionals:

• API security should not fall solely on developers; it requires dedicated focus from security teams.
• However, developers need awareness of how API attacks differ from traditional web exploits. Resources like the OWASP API Top 10 can help.
• Security teams need robust API monitoring, not just testing APIs pre-production. This includes AI and analytics to detect anomalies.
• Correlating API events is crucial to understand attacker intent, not just spotting isolated anomalies.
• Financial services and retail sectors are using API analytics for things like fraud detection and combating price scraping.
• Poor API security is an emerging board-level risk; treat it as a priority now before you end up in the headlines.
• Competitor scraping of pricing data via APIs is an increasing threat vector to watch out for.
• Refined AI models will take on more of the workload over time as confidence in their accuracy builds through training.
• Don't try to lump API security under broader initiatives; give it dedicated focus and resources.

In summary, both developers and security teams need to prioritize API security as a distinct discipline and evolve their approaches to address new API threats.