APIs: Cyber Security’s Emerging Threat Vector

It appears a new – and pervasive – threat vector is emerging, and a recent Imperva survey has the proof to back it up. The target: an organization’s application programming interface (API).

An API is a set of definitions, protocols and tools for building application software. APIs allow for distinct interaction between levels of software. They also allow for easier program development, and can be utilized for web systems, operating systems, databases, hardware or software libraries.

Now, it seems threat actors may be zeroing in on APIs, which hold keys to much more sensitive data and information. APIs are increasingly considered gateways into applications – which poses a security risk.

APIs allow for swift and simplified application building at the hands of programmers – for example, in file copying. On a more macro level, APIs support user-friendly digital experiences and are crucial to mobility growth.

According to recent survey of 250 IT professionals conducted by Imperva, there has been a heightened concern for cyber security risk related to API use. It reads: “Specifically, 63% of respondents are most worried about DDoS threats, bot attacks and authentication enforcement for APIs.”

See Related: 'It Comes Back To You': Evaluating Third-Party Cyber Risk Management

More than two-thirds (69%) of the polled organizations are exposing APIs to the public and their partners. On average, organizations are also managing 363 different APIs, according to the survey.

Those that face the public are of paramount concern because they’re a “direct vector to the sensitive data behind applications,” the survey explained.

In terms of defending these increasingly topical gateways, 80% of organizations use a public cloud service to do so. Most polled individuals use a combination of API gateways (63.2%) and web application firewalls (63.2%) to ensure their data is sealed.

Commenting on APIs and the survey results, Imperva’s CTO, Terry Ray, said, “APIs represent a growing security risk because they expose multiple avenues for hackers to try to access a company’s data.

“To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications,” Ray added.

See Related: Rattling DevOps Could Patch Cyber Security Gaps

Another hot topic within the API discussion is the proliferation of DevSecOps. In fact, 92% of IT professionals believe that DevSecOps – or the combination of development, security and operations – will be crucial for future application development.

These findings hearken back to previous calls for stringent security measures to be baked into solutions/products from the outset. The darker alternative to this could be: deploying solutions in a “reactive” state down the line – when the enterprise hypothetically falls victim to a gateway-to-data attack.

On DevSecOps, Ray explained, “It is very encouraging that the majority of respondents to our survey expect DevSecOps to be involved in the future of application development.”

He added, “Cyber-crime is pervasive, and it is vital that organizations keep their applications safe from hackers. Embracing DevSecOps provides organizations with the building blocks needed for defense against some of the most serious cyber security threats.”

Be Sure To Check Out: Patch Your Gaps: Identifying Mobile Security's Challenges