API: The Attack Surface That Connects Us All
Published on 15 Aug 2022
The internet is highly resilient and self-healing in the face of random disturbances, yet it is susceptible to human error.
The closer you go to the application layer, particularly the human layer, the more you wonder how this thing ever functioned. Particularly ransomware, high-profile cyber assaults have grown more frequent and pervasive in recent years. However, you should not be concerned unless you depend on ridiculous items like fuel, steak, plane travel, or your data backups.
This paper focuses on API security, and if you've looked at APIs for any length of time, you know that security is often an afterthought.
The API for security development (i.e., the people)
When considering APIs, which enable software components to communicate with one another, one must also consider the interface between security and development teams.
Security and development have never really shared a common language due partly to their distinct experiences, vocabularies, and goals. However, this tense relationship is becoming more crucial, particularly with the inevitable pressure to offer more features, release quicker, and adopt the newest engineering trend under the "DevOps" banner. What must be altered to achieve more alignment?
Time to Value (or Time To First Value, TTFV) is a term used in product management to indicate how long it takes for a new client or prospect to gain value from the product or service you've sold them. Obviously, the objective is "as quickly as feasible." We must decrease a new security practitioner's Time to Value.
In reference to the current scope and effect of breaches, Jeremiah Grossman posits that it is not because offensive strategies have improved but rather that enemies have shown more adept at recruiting and training entry-level jobs than the information security sector.
Communicating with the globe
APIs are ubiquitous. You can be certain that each application or service accessible on the internet is backed in some manner by an API. APIs underpin mobile apps, the Internet of Things (IoT), cloud-based client services, internal applications, and partner applications, among other things, in the present day.
In addition to the security problems raised by APIs, speed must also be considered. As API traffic is offloaded from origin servers to edge servers on the CDN side, Akamai regularly observes APIs' performance enhancements. This arrangement expedites accessibility and guarantees availability.
However, there is a rising issue. Organizations that protect their APIs with conventional network security solutions get, at most, mediocre results, if any at all. This is because the traditional network security standards can only accomplish so much.
The majority of the hazards associated with websites and online apps will also apply to APIs, but they must be handled independently.
APIs significantly increase the threat surface that businesses must defend against. Therefore, defense and development organizations must exert more effort to solve these issue regions.
90% of web-enabled apps will have a greater attack surface in the form of public APIs rather than the user interface by 2021, up from 40% in 2019.
The good news is that corporate executives and security teams have already adopted more robust API security postures. However, there is enough possibility for expansion, and criminals are surely exploiting API security holes.
Download Akamai's whitepaper to learn more about API: The Attack Surface That Connects Us All only on Whitepapers Online.