Home Features API Security: An Emerging CISO Pain Point

API Security: An Emerging CISO Pain Point

With the increase in API usage, API attacks are also becoming more and more prolific. Many CISOs realize their API security needs a reality check.

SHARE
application security, API, API Security

The API economy is no stranger to many of us. Without two applications or databases communicating and sharing data through APIs, the digital experiences we have grown accustomed to, such as getting a text message when your Uber has arrived, are not possible. Building a business that relies on APIs has brought success to many companies.

By Umesh Padval, Venture Partner, Thomvest Ventures

Because APIs are becoming increasingly valuable to businesses, the usage of APIs has reached an all-time high. In the 2020 State of API Survey by Postman, 84.5% of participants stated that APIs are playing a significant role in digital transformation initiatives. What’s even more interesting is that a third (30.6%) of the survey respondents said that APIs played a role in their ability to respond to COVID-19. If we look at the historic data, there is a clear uptick in enterprise API adoption. In the 2019 Gartner API Usage and Strategy Survey, 98% of participating respondents either use APIs now, are implementing APIs, or plan to use APIs in the coming year. This trend, including the growth of APIs since 2018, is shown in Figure 1.

While internal APIs are common at many technology-driven organizations, external/public-facing API use is on the rise. According to ProgrammableWeb, the largest and most complete Web API directory, there are over 24,000 active Web APIs in June 2021. In comparison, there were less than 2,000 a decade ago.

Gartner API Usage and Strategy Survey

With the increase in API usage, API attacks are also becoming more and more prolific. Many CISOs realize their API security needs a reality check. As businesses use APIs to establish more connectivity and transfer data, API cyberattacks often lead to data breaches, where sensitive medical, financial, and personal data are exposed. For example, in March 2020, hackers used insecure APIs behind the website findadoctor.com to scrape information on 1.4 million doctors in the U.S. It turned into a disaster for doctors and healthcare staff who were busy saving lives amid the pandemic. Other large organizations such as Instagram, Venmo, USPS, Capital One and Gitlab, have also experienced various attacks that were linked to broken, insecure, or exposed APIs during recent years.

In fact, Gartner predicts that the application security market will grow to $3.7B by the end of 2021, which is a 12.2% increase compared to 2020. It is also predicted by Gartner, that by 2022, API attacks will become the most frequent attack vector for enterprise web applications. As a result, API security is going to be a large enterprise pain point.  

Developers have several options to build APIs today and can choose from older protocols like SOAP, which are based on XML format to current API standards like REST, which utilizes lightweight JSON format. Over the last few years, newer protocols like GraphQL (built by Facebook) and gRPC (built by Google) have also emerged as dependable alternatives. For security practitioners, developing a deep understanding of these protocols and how application requests get fulfilled is critical. The modern microservices interact with each other and with other 3rd party providers using well-defined API call structures. Consider a request sent to an IP-addressable API endpoint to fetch the bank account details of a customer. This request might have some visible parameters (called GET parameter in REST APIs) like user_id, name, and hidden parameters (called POST parameter in REST APIs) like password, last 4 digits of social security, etc.

Such a request goes through a gatekeeper called API Gateway and then gets routed to the internal servers where that particular data is stored. After that, some query on the backend fetches that data from datastores and the response is sent back. In this end-to-end process, there are multiple attack vectors that web applications need to be protected from like high frequency of API calls, access to unauthorized data, SQL injection attacks, and others including the OWASP top 10.

Through our conversations with CISOs, we heard six pain points they’re experiencing protecting their APIs. The first is detecting API threats. Enterprises don’t know the full inventory of their APIs. Unmonitored “shadow APIs” are the source of increasing security risks and governance challenges. The second pain point is related to enforcing a protection perimeter. Modern application architecture trends (e.g., mobile access, microservice, hybrid cloud) complicate API security. There is rarely a single “gateway” to enforce protection. The third pain point is end-to-end API traffic tracing. Widespread use of internal APIs adds the requirement to secure internal usage (“east-west” API traffic) to the requirement to secure usage coming from outside the organization (“north-south” API traffic).

The fourth pain point that CISOs experience protecting their APIs is the number of manual security configurations needed for each added API. Related to the fourth pain point, CISOs also have to deal with a large amount of change management for new APIs. New APIs are deployed at a very fast rate without proper documentation, governance, and change control. Finally, the sometimes-fractured relationship between DevOps and Security is a major pain point. 30% of APIs were deployed without input from IT security due to the lack of collaboration between DevOps and Security teams.

We expect that enterprises will increase budget allocation to protect their APIs in the upcoming years. From ML/AL to behavioral analytics, API security vendors are developing differentiated technology to address API security concerns. Through monitoring API traffic, vendors help enterprises identify abnormal API usage, potential threats and recommend policy enforcements before any attacks. While API security vendors have an edge in offering API protection solutions today, they will face increasing competition from “API security as a feature” offerings from players in other cybersecurity categories such as web application firewall, identity and access management, as well as API management.

Overall, the surge in API traffic in recent years made API security one of the top security concerns for enterprise CISOs. As a result, it represents one of the fastest-growing markets within cybersecurity, and startups are innovating swiftly to maintain their edge and capture this market. We believe winners in API security will be companies capable of expanding API security features to a broader security platform.


About the Author

Umesh Padval is a Venture Partner at Thomvest Ventures focused on investments in the cybersecurity and cloud infrastructure sectors partnering with founders and CEOs of companies developing disruptive platforms solving key pain points for CIO and CISOs. He currently serves as a Board Member at Avalanche Technology, Bolster, ShiftLeft, and Tactus Technology and Impinj(public) and as a Board Observer at Clari. He is also an investor in Baffle and Harness. Umesh has served on over 30 public and private company boards, bringing extensive operating experience and skill set valued by CEOs and founders.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.