API-First Strategies Require API-First Security

API security concept; Arrows pointing to a Post It with API Security written on it

Editor's note: This post was originally published in July 2021 in ToolBox.

Back in 2017, Gartner predicted that API abuse would be the most frequent attack vector for data breaches by 2022. Two years later, when exposed APIs already made up 40% of the attack surface for web-enabled applications, the research and advisory company estimated that figure to soar to 90% by 2021. 

And based on a Q1 2021 State of API Security study from API security company Salt Security, it does look like we’ll simply hurtle past all those predicted milestones.  

Here’s the low-down on the key findings of the study, compiled from survey data from security, application, and DevOps professionals and anonymized, aggregated data from the firm’s API security platform. 

Of the survey respondents, 91% suffered an API security incident over the previous 12 months. Over the same period, the platform data showed that not a single customer experienced zero attacks (though every attack was foiled), with more than half being subject to an average of 10 to 50 attacks per month. 

API traffic has been growing exponentially over the years. For instance, Google Cloud's Apigee API Platform registered 2.21 trillion calls last year, an annual increase of nearly 50% that parallels growth in API call volumes on the Salt platform.

Applications Powered by APIs bar graph from Apigee reportSource Apigee State of API Economy 2021 Report

APIs are also being deployed for a wide array of applications. According to a 2021 State of the API Economy research, larger companies use APIs more often to power mobile applications and more mature users are widely adopting API-powered application development for automation and IoT. 

Most companies have shifted to an API-first strategy to power digital transformation, accelerate innovation and build digital ecosystems that enhance productivity and value. However, the API attacks, breaches and abuse just keep getting bigger and more frequent. In just the past couple of months, there have been reports of an unsecured API at consumer credit bureau Experian leaking the credit scores of tens of millions of Americans, fitness brand Peloton’s leaky API exposing private account data and invite-only chat app Clubhouse essentially becoming a public network thanks to a reverse-engineered mobile API. 

However, any shift to an API-first strategy should be accompanied by an API-first security strategy. Here’s an overview of what that entails.

API-First Security Strategies

As API networks and application architectures become more complex, the number of security hotspots also increases.  As a result, traditional API security solutions may no longer be adequate to secure these complex ecosystems.

From WAF and API Gateway to WAAP

Common security tools such as WAFs and API gateways are no longer enough to prevent exploits even against authenticated APIs. In fact, their utility is often post hoc with a majority of customers relying on WAF and API gateway log files to identify an attack, when it’s already too late.   

As a result, the market has shifted to Web Application and API Protection (WAAP), an evolution of the WAF market centred around four consolidated capabilities: WAF, DDoS protection, bot management and API protection.

Web Application and API Protection diagram Enterprise Strategy Group

SOURCE: Enterprise Strategy Group

WAAP solutions represent a shift from siloed to unified application protection and can help streamline management, simplify operations and improve security. 

There are four key attributes that define any comprehensive WAAP solution. 

They are cloud-centric but location-agnostic and WAAP solutions that can protect applications across heterogeneous IT environments. 

They enable an integrated approach to runtime application security across WAF, DDoS, bot, and API protection by scanning traffic to detect malicious activity across all four vectors. 

They collect telemetry across all the applications and use that information to assess risk and share it across all mitigation components to improve defences in real-time. 

And WAAPs help reduce operational complexity by streamlining rulesets, simplifying the number of parameters that have to be managed and using machine learning to automatically suggest rules.

Holistic Defence for Mobile and Web

Mobile apps have been a key factor in the growth of the API economy and, as mentioned earlier, larger companies typically use APIs more often to power mobile applications. Mobile apps commonly have access to a lot of sensitive and valuable information and the APIs in the mobile channel are the hardest to protect. For instance, mobile APIs can be abused even if they have no vulnerabilities. 

If that weren’t a challenge by itself, the shift to remote work has made mobile devices the biggest IT security threat for business even as many sacrificed mobile security in order to accelerate their response to current restrictions. 

Most digital enterprises deliver services across the web and mobile, with mobile devices currently accounting for a bit more than half of all global website traffic. It is therefore critical for businesses to create a holistic defence across both channels.  

Though the approach to security to each of these entry points is quite different, it is still possible to make them work together seamlessly and ensure that both channels are properly defended against DDoS, credential stuffing, data scraping and other fraudulent exploits.

For instance, we have been able to leverage the unique capabilities of the Cloudflare Bot Management system and our own Approov API Threat Protection solution to construct a complementary and highly efficient solution. With this combined approach we were able to apply a positive security model for mobile — all Approov validated traffic is allowed while all other automated traffic is blocked — and a negative security model via Cloudflare Bot Management for analysis and mitigation of all other traffic. 

This is just one example of integration of 3rd party web protection solutions. Approov also supports seamless operation with Google reCAPTCHA, hCaptcha and FingerprintJS.

Taking a unified view of API security across channels and entry points can open up new opportunities to leverage solution capabilities to create additional and complementary security layers across every channel.

The Need for API Security Hygiene

Technological advancements will definitely play a key role in reversing the growing trend of API abuse and attacks. However, there also has to be a corresponding evolution in basic API security and management hygiene. For instance, a recent analysis of popular mHealth apps with combined access to at least 23 million patients’ records found serious lapses in rudimentary security protocols including hardcoded API and private keys in the apps. Similarly, the Salt Security survey found that half of the respondents either had no security strategy or only a basic strategy for API security. So that has to change or Gartner’s API predictions are just going to get direr.

 Learn More about Mobile API Security!