Is Your Business Balancing API Productivity Gains with Risk Mitigation?

Is Your Business Balancing API Productivity Gains with Risk Mitigation?

APIs are a critical component of any digital business, sharing information between various software solutions and streamlining and improving business productivity through system integration. They allow modularity in development projects, increase the scalability of the business and in theory should enhance your software security.

API security breaches have become increasingly common in recent years, with the rising popularity of APIs and the growing number of API integrations in software applications. The frequency of API security breaches varies depending on the industry, the type of API, and the level of security measures in place.

According to the 2021 Verizon Data Breach Investigations Report1, web application attacks, which often involve APIs, accounted for 39% of all breaches. In addition, the report found that the most common motive for these breaches was financial gain. The 2022 Verizon report2 again mirrored the overwhelmingly dominant target being web application attacks (81%) and driver being financial gain (78%) in the incidents they researched. A clear demonstration of growth and assumed opportunity for bad actors.

The 2022 State of the API Report by Salt Security3 found that in the 12 months since their 2021 report Salt customers experienced an increase of 117% in API attack traffic correlating to an increase of 168% in overall API traffic. This builds upon the 2021 data which found 91% of respondents reporting experiencing at least one API security incident in the prior 12 months, with an average of 2.7 incidents per organisation. Attacks have increased by 30% between 2021 and 2022 for Salt customers with 34% of customers experiencing greater than 100 attempted attacks per month.

Overall, security breaches are a significant concern for organisations that use APIs to exchange data and communicate with external systems. It is essential to implement robust security measures such as access controls, encryption, and regular security testing to mitigate the risk of API security breaches.

Beyond what should be key considerations like authentication, transmission, traffic volume and authorisation, there are other important variables and activities to consider and enact when building, configuring and maintaining system APIs. Authentication methods should be determined based on the type and sophistication of the user base. With a variety of authentication options available, such as; JWT, OAuth, SAML, keys, and more, understanding the characteristics and technological capabilities of the user base should be a critical consideration when defining an effective security architecture and strategy. Without consideration and effective internal upskilling, the choice of authentication methodology can open an organisation to a relatively easy breach through social engineering or poor cybersecurity hygiene. 

The characteristics of the transmitted data and the transmission method also impact the risk profile of a security breach. Prior to the development of any API, understanding the volumes of data, how and where the transmitted data is sourced, and how issues with the query and or response strings are handled help to identify actions to be undertaken to mitigate potential avenues for malicious activity. A plan for monitoring and logging all API traffic and regular security review, testing and updating are crucial components of an effective security architecture design.

Business software solutions or digital business tools that transmit confidential, private or critical data require a security minded technology team. The last three years of the IBM Cost of a Data Breach Reports4 have demonstrated a per record cost growth from $146 USD in 20206 to $160 USD in 20215 and to $164 USD in 20224, approximately a 12% increase in cost over the last two years. It is important to note that the cost calculations are centred on the cost of recovery, rectification and remediation; they do not address the cost of the loss of reputation. The indirect costs can have a long-lasting impact on the business reputation and forward performance.

The only real way to protect an organisation is to implement strong and regular security testing and practices on transmitted data. Transmitted business data requires the same care and due diligence as stored customer or business data. Maintaining and protecting the transmitted data is critical for all solutions leveraging an API. Key testing activities such as; manual, automated, Fuzz, Penetration, Vulnerability scanning, and code review should be regularly scheduled. Security logs should be monitored for changes or anomalies. Budgeting for and utilising external testing resources increases security coverage through unbiased perspective, subject matter and compliance expertise, and the minimisation of human issues, such as, limited resourcing, blind spots, and overconfidence.

Treating transmitted and stored customer and business data with the same diligence as revenue driving activities delivers a 360 degree positive experience for customers and is an opportunity to lead competitors in total customer experience.

 

References

12021 Report: Verizon: 2021 Verizon Data Breach Investigations Report (DBIR) 

22022 Report: Verizon: 2022 Verizon Data Breach Investigations Report (DBIR) –  (requires free sign up)

32022 Report: Salt Security: State of API Security Report Q3 2022   (requires free sign up)

42022 Report: IBM: Cost of a Data Breach Report 2022 –  (requires free sign up)

52021 Report: IBM: Cost of a Data Breach Report 2021

62020 Report: IBM: Cost of a Data Breach Report 2020

More Blogs

May 31, 2021

Upgrading from AppLocker to Windows Defender Application Control (WDAC)

Windows Defender Application Control (WDAC), formerly known as Device Guard, is a Microsoft Windows secure feature that restricts executable code, including scripts run by enlightened Windows script hosts, to those that conform to the device code integrity policy. WDAC prevents the execution, loading and running of unwanted or malicious code, drivers and scripts. WDAC also… Continue reading Upgrading from AppLocker to Windows Defender Application Control (WDAC)

Read More
cyber security companies | penetration testing | managed security service provider | cyber security consultant
June 22, 2021

Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10

Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the Protected Process Light (PPL) technology which is a defense-in-depth security feature that is designed to “prevent non-administrative non-PPL processes from accessing or tampering with code and data in a PPL process via open process… Continue reading Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10

Read More
cyber security companies | penetration testing | managed security service provider | cyber security consultant
June 7, 2020

Using Zeek to detect exploitation of Citrix CVE-2019-19781

Using the tool Zeek, formally known as bro, is a high-level packet analysis program. It originally began development in the 1990s and has a long history. It does not directly intercept or modify traffic, rather it passively observes it and creates high-level network logs. It can be used in conjunction with a SIEM to allow… Continue reading Using Zeek to detect exploitation of Citrix CVE-2019-19781

Read More