74% of organizations are now API-first
How point solutions have created greater vulnerability
In late 2022, T-Mobile experienced a data breach of 37 million customer accounts because of an exploited API. This breach and others affecting T-Mobile resulted in a $31.5 million settlement with the Federal Communications Commission (FCC). Many other companies are experiencing API attacks that can lead to fraud through account takeovers and theft of credit card information.
The use of application programming interfaces (APIs) for software development is rising fast. This trend is helping to accelerate innovation, but it is also creating new risks for enterprises.
Increasingly, APIs are used to streamline the integration of new features, functions, and data sources into software — including the large language models (LLMs) used for generative AI. A report from API collaboration platform provider Postman found that 74% of survey respondents were API-first organizations in 2024, up from 66% the previous year. Gartner reports that more than 80% of survey respondents are using APIs internally while just over 70% are also using third-party APIs, such as the APIs provided by SaaS vendors.
Unfortunately, using APIs to connect software with new capabilities and data sources also expands an organization’s attack surface. APIs have been subject to a full range of attacks, including zero-day exploits, distributed denial-of-service (DDoS) attacks, authentication abuse, and more.
What are the most important API risks? How can your organization address those risks, so you can continue to maximize the benefits of APIs?
Understanding API security risks and limitations of existing solutions
For attackers, APIs are a prime target. Many attackers correctly recognize that organizations often rapidly adopt new APIs without implementing adequate security.
These attackers are finding multiple ways to take advantage of API vulnerabilities. Many capitalize on the authorization and authentication weaknesses that are among the top API security risks. These risks are even more critical for APIs than for web and mobile apps: APIs can carry sensitive and dynamic information that cannot be hard-coded or left in clear text, as it can be with a web or mobile app. When APIs lack authentication or have overly permissive authorization policies, they are vulnerable to broken object-level authorization (BOLA) attacks, which can lead to unauthorized data access.
Other attackers launch DDoS attacks, sending an overwhelming number of requests to APIs that lack limits on requests. When attackers succeed with BOLA, DDoS, or other attacks, they might be able to access a range of user data that flows through the API, such as credit card information, healthcare information, or other personally identifiable information (PII).
Organizations often use traditional web application firewall (WAF) rules to protect API traffic. However, the “negative” security model used by these solutions, which blocks only known threats, is inadequate for catching many modern, API-specific attacks. Meanwhile, too many organizations implement a patchwork of point solutions for app and API security, leaving gaps in coverage while adding significant management complexity.
Combating risks with a multi-faceted enterprise API security strategy
Eliminating vulnerabilities and stopping the full range of API-specific attacks requires a multi-faceted enterprise API strategy. Teams need to implement best practices to better understand what APIs they are using across the enterprise, then pinpoint vulnerabilities, block malicious traffic, protect data, and streamline management.
Increase visibility: It’s difficult to protect something if you don’t know it exists. Yet many IT and security teams do not have full accounting or visibility into the APIs in use across the organization. According to a recent analysis of API calls and HTTP requests, organizations had 33% more public-facing API endpoints than they realized.
API discovery is an important first step in safeguarding these essential components. Inventorying internal and third-party APIs can help you eliminate “shadow API” usage and start building a cohesive API security strategy.
At the same time, API discovery can help improve development efficiency by unearthing pre-existing, pre-built functionality. Building a catalog of APIs will enable developers to easily find and incorporate the functionality they need — and avoid writing code for capabilities already covered by APIs.Tap into machine learning: API discovery does not have to be a tedious manual process. Services that use machine learning can scan for API traffic that might be otherwise unaccounted for.
Machine learning can also improve API protection. In particular, you can use a machine learning–based service to detect attacks that might be executed only slowly over time. These attacks are designed to evade tools that identify volumetric techniques.Identify your API risk posture: Once you better understand what APIs your organization is using, you need to identify their potential risks. Of course, spotting potential issues — and then addressing them — can seem overwhelming, especially if your organization is new to API security. Implementing the right API security tool can help teams pinpoint authentication misconfigurations, sensitive data leak risks, BOLA attack vulnerabilities, and more. It can then recommend controls and policies to improve your security posture.
Create a positive security model: To better protect APIs, organizations should move past negative security models that block only known threats. Implementing a “positive” security model can catch more malicious traffic. You can accept only traffic that conforms to your OpenAPI schemas while blocking all other requests.
Implement data loss prevention: An API strategy must stop the leak of sensitive data that can be exchanged through APIs. Taking a proactive approach is best. Continuously scanning response payloads for sensitive data can help you identify and prevent attempts at data exfiltration.
Consolidate API tools: Adopting multiple APIs offers an effective means for developers to rapidly augment app capabilities — but it also adds complexity to already-complex IT environments. By consolidating tools to build apps, enhance performance, and strengthen security, you can improve visibility and regain control over your IT environment.
A connectivity cloud can provide a unified platform that enables you to handle API discovery, application development, performance optimization, and security without having to navigate multiple-point solutions. With a unified platform, you can better integrate security into the development process, establishing stronger DevSecOps workflows that address potential security issues early in the development process and remove obstacles to the swift delivery of new features.
Moving forward in an API world
Whether you are leading an API-first enterprise or adopting APIs on a case-by-case basis to accelerate innovative development, protecting these essential interfaces should be a high priority. Attackers have made it clear that they see APIs as vulnerable targets. Constructing the right enterprise security API strategy can help you address vulnerabilities without adding the management complexity that multiple-point solutions can create.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about safeguarding APIs in the CISO's Guide to API Security ebook.
Key takeaways
After reading this article you will be able to understand:
Primary vulnerabilities for the APIs that are key for accelerating innovation
Limitations of existing security strategies
How to eliminate vulnerabilities and better detect threats with API security best practices