Organizations Increase Attack Surface by Changing APIs Too Often

By Greg Tavarez May 08, 2023

When it comes to the components of modern software development, three letters usually pop up – API. Application programming interfaces are essential because they enable developers to build complex applications quickly by integrating with external services and systems.

The downside? APIs expose data and functionality, meaning new security risks and vulnerabilities emerge. So, then come the malicious actors with their virtual burglar masks on, looking for ways to enter any unlocked cyber doors and windows to gain access to sensitive data, compromise systems and carry out attacks such as DoS and injection attacks.

That is why it is important for organizations to implement robust security measures to secure their APIs. This can be authentication and authorization mechanisms to ensure that only authorized users and applications can access the API, encryption to protect data in transit, rate limiting to prevent excessive API usage, and monitoring to detect and respond to potential security breaches.

Sounds simple enough. Make sure those cyber doors and windows are always locked, right?

That is not quite the case though. In fact, organizations make API security more difficult than it should be. According to a Data Theorem report (in partnership with Enterprise Strategy Group (News - Alert)), 75% of organizations change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the changing API attack surface. As a result, the majority of organizations experienced at least one security incident related to insecure APIs in the last 12 months, while 57% of organizations experienced multiple security incidents related to insecure APIs during the past year.

Melinda Marks, senior analyst for Enterprise Strategy Group, says that it is not surprising to see organizations experiencing API-related security incidents.

“Modern development cycles bring faster, more frequent product releases and updates, and the growing number of APIs that change on a daily and weekly basis make it imperative to address the changing attack surface,” said Marks. “This rapid rate of change also creates shadow APIs and zombie APIs, which can be hackers’ favorite APIs to exploit because organizations often do not know about them.”

To address these API security concerns, the study found that almost half of the organizations look to increase their spending on API security tools. Obviously, this makes sense. Organizations should increase spending on API security tools to protect against data breaches, comply with regulations, mitigate third-party risks, monitor and prevent API-related attacks as well as future-proof their systems against emerging security threats.

Organizations are also taking the initiative to spend more on cloud-native application protection platforms. This is good to see because doing this protects against cloud-based threats, meets compliance requirements, simplifies security management, integrates with DevOps processes and provides a cost-effective solution for securing cloud-based applications.

“API and cloud-native security remains a critical issue for organizations today,” said Doug Dooley, Data Theorem's Chief Operating Officer. “The good news the research shows is that two security approaches – API security tools and CNAPPs – appear to be the most promising options to help organizations reduce their vulnerabilities to attack, and organizations are taking action over the next 12-18 months to best secure their applications and data.”

One company that is in a prime position to help organizations looking to act is, as detailed here, Data Theorem. Data Theorem offers a comprehensive application security portfolio to protect organizations from data breaches, covering modern web frameworks, API-driven microservices and cloud resources.

Data Theorem is a pioneer in providing a full-stack application security analyzer, covering the client layers found in mobile and web, the network layers found in APIs and the infrastructure layers found in cloud services.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Latest Broadband Forum Specification Unleashes Network Flexibility, Agility and New Features

Technical Report-459 provides improved resiliency, scalability, and faster deployment times for operators. It will also provide more reliable and consistent services for end users.

Read More

Logitech Introduces Rally Bar Huddle for Better Small Meeting Experiences

Logitech has released a new Rally Bar Huddle that is focused on delivering equitable video conference meetings with ease.

Read More

UniVoIP Brings Teams Voice Integration to the Telarus Supplier Portfolio

UCaaS provider UniVoIP has joined the Telarus supplier portfolio, bringing its voice solutions for Microsoft Teams to the Telarus partner community.

Read More

Samuel Wilson Set to Lead 8x8 into the Future

Finally, 2 years after the departure of longtime CEO Vik Verma, 8x8 hopes it has found a new CEO who will successfully lead it to new growth in a crowded UCaaS market.

Read More

Phone Calls Are Still Key for Customer Acquisition

Ruby uncovered that phone calls are still key when it comes to addressing customer concerns in real-time and understanding changing business realities.

Read More