Securing the API Economy
API Traffic Represent 83% of all Internet traffic increasing the exposure for nefarious bad actors.
Welcome to issue #3 of Indiscrete Musings
I write about the world of Cloud Computing and Venture Capital and will most likely fall off the path from time to time. You can expect a bi-weekly to monthly update on specific sectors with Cloud Computing or uncuffed thoughts on the somewhat opaque world that is Venture Capital. I’ll be mostly wrong and sometimes right.
Please feel free to subscribe, forward, and share. For more random musings, follow @MrRazzi17
APIs are powering the way we live and work and in the same vein becoming an ever more alarming threat for enterprises of all sizes given the increasing attack surface. This post will discuss the state of the industry, current key trends, and a few market predictions. Before we begin, let’s start with a primer on APIs.
Application Program Interface (API)
An application programming interface (API) is a set of rules that enables a software application to convey data to another software application. APIs enable developers to circumvent duplicative work – instead of building and rebuilding application functions that already exist – developers can incorporate existing ones into their new applications by formatting requests as the API requires. The physical metaphor and real-life example of an API would be to think of an ATM. An ATM has an interface, usually a screen with interactive options – allowing customers to interact with their bank and request additional services like obtain cash. Identically, an API is how one piece of software interacts with another to obtain the needed services.
The API Economy
APIs continue to proliferate primarily due to cloud computing, modern applications, and large creations of data each day. By industry estimates, API traffic represents more than 83% of all Internet traffic today1. The growth of public API usage has been exponential in the last decade and the API economy or rather revolution is also very cogent: Outside of software, we have seen a spectrum of industries embrace APIs— media, finance, telecommunications, tourism, auto, and real estate to name a few. And it’s not just in the private commercial sector; nations, countries, and states are making public works, crime, legal, and other agency data available through initiatives such as the US Food and Drug Administration’s openFDA API program.
The API economy is not built upon the disruption of programs but rather is centered around the democratization of industries so that they can co-exist in the 21st, software-driven century. That is, with the abundance of data and increased usage of software applications the ability to communicate between programs and access data has become paramount. For example, legacy players within the financial services sector are exploring open banking platforms that unbundle payment, credit, investment, loyalty, and loan services to compete with new entrants. Netflix receives more than 42B+ monthly requests to its public APIs2.
Macro-trends that have foundational tailwinds such as global smartphone adoption, internet availability and adoption in emerging markets, global e-commerce, autonomous/EV vehicles, and the rise of connected/IoT devices will have internal and external dependencies in their respective data sets and services. APIs can quickly add reach and features. However, amid the fervor, a fundamental reality remains: APIs are far from new developments.
They have been around since the beginning of software development. What’s different now, and why is there so much investor participation and market enthusiasm around APIs? Well, for starters APIs have moved away from just being a technical need to rather a business mandate. Jyoti Bansal, co-founder of Appdynamics (acq. by Cisco for $3.5B in 2017) stated:
“APIs have transitioned from being a technical requirement to a linchpin business priority. The API economy has empowered companies to be more successful — whether it’s through leveraging third-party APIs to improve business processes, attracting and retaining customers, or producing an API as a product.”
We’ve also seen API-driven companies pave the way such as Twilio and Stripe. It’s clear that in this software-driven and data-rich world APIs are foundational to the way we live and the way we work – we are living in a truly vibrant API economy and we’re better off because of it.
API Growth Leads to an Increasing Attack Surface
As the use of APIs and the value of data and data shared via API have both increased so has the attack surface. Bad actors realize that APIs are often the weakest link in an organization’s security armor, especially since traditional tools like a Web Application Firewall (WAF) and API gateways are limited against protecting sophisticated attacks.
Greater use of APIs, faster release cycles with agile DevOps practices, and increased attacker surfaces are leading to APIs presenting an ever-growing and persistent risk factor for many enterprises. Salt Security recently published their State of API Security Report which discusses the impressive yet alarming data points across their installed base. According to Salt Security, their customers have seen monthly API call rates increase 141% while malicious attack traffic has grown 348%3. Across the same customer cohort in the last 12 months, the average number of APIs for each Salt Security customer has more than tripled, starting from 28M API Calls in July 2020 to 89M API Calls in June 2021 implying that most of their customers are continuing to embrace digital transformations and the broader shift to an API economy. Consequently, with the API call volume increasing so has the number of attacks. In that same period, attack traffic increased from 1.4% of all traffic in December 2020 to 2.6% of traffic in June 2021 (figure below).
Security should always be top of mind for every CISO and enterprise but often its gets buried behind product releases, accelerated DevOps practices, and the velocity of growing at all costs. At a granular level, API security is often left in the dust not because of its importance but rather because of its misalignment around ownership. In the same report, Salt Security found that 21% of respondents say that developers should be the team responsible for owning the security best practices while the API team took a close second at 20%. It’s common to hear that developers write APIs therefore they should be responsible for securing the APIs but in reality, security should be a cross-functional effort with company-wide best practices enforced top-down. In addition to responsibility, many enterprises outsource development either partly or fully to third parties, while this is an efficient manner of reaching productivity and shipping code it can be a major handicap and expose security risks at scale.
Common API Security Vulnerabilities
There are several vulnerabilities, I’ve highlighted below the most common in the industry:
DoS and DDoS attacks: Too many requests directed at an API can slow or halt service for other users.
Authentication-based attacks: Usually, customers will need to authenticate before they can make API requests so that an API server does not accept requests from unknown or illegitimate sources.
Authorization errors: Authorization sets the level of access each user has. If authorization is not managed correctly, an API client may have access to data that should not be available to them, increasing the chance of a data breach.
Vulnerability exploits: A vulnerability exploit is when a bad actor sends uniquely crafted data at a target, then that unique data-set takes advantage of a flaw in the target's architecture. The Open Web Application Security Project (OWASP) maintains a list of the top 10 API vulnerabilities, such as security misconfiguration, SQL Injections, and others. If an attacker exploits a previously unknown target, that is known to be called a zero-day threat which can be extremely difficult to mitigate.
As the rise of attacks continues to increase, its given way to many young entrants entering the market. All seem to be promising yet it’s unclear who the winners will be. Towards the high end of the market, you have larger incumbents such as Ping Identity, Imperva, F5, PerimeterX, and Akamai. In the last few years, there have been several entrants entering the market with high speed and execution, such as Sqreen (Datadog), Noname, Salt Security, 42Crunch, Neosec, Apisec, Wallarm, and Traceable.
Approaches vary per provider, generally, some are focused on at-scale penetration testing, business logic (B2B/B2C), behavioral-based security, and basic Infrastructure leverging traditional web applications and OWASP rules. The effectiveness of each approach should be measured on a base-by-base basis, that is, solving for unique and *new* uses cases that arrive as opposed to providing an out-of-the-box solution that often fails to cover the nuances. As the market matures there will be clear winners but it’s too early to forecast who they will be. What is clear, however, is that larger incumbents are starting to take note of the market opportunity. At a recent Oppenheimer Technology Conference, Raj Dani, CFO of PING Identity stated:
[…] API security is something that's on the come. We are extremely, extremely early in that market. But we have deployed it at really large-scale – some of the kind of Fortune 100 type companies. And really – the real value of it is it's an AI/ML engine that can detect anomalous API attacks, which is such a broad attack vector. But what we are seeing is customers are already just happy with the fact that they can get their arms around – the software also inventories all your APIs. And with developers decentralized, business units decentralized, there is a lot of open APIs that could be exposures for companies that frankly the CISO doesn't even know about. So they get great value in just even getting an inventory of those and then further leveraging the AI/ML capabilities in terms of detecting anomalous traffic and making machines smarter over time. I would say that again very early days. But this will be a market down the road, and we are going to be very well positioned to attack that [market].
With a greater focus on the market from larger providers – this may lead to larger M&A sprees where entrants will be enticed to leverage the distribution of the established incumbents. What is undoubtedly clear, is that the API Economy is here to stay and because of it the API Security Market is heating up and in time we’ll be able to decipher the fire from the smoke.
API Security Trends. Salt Security: API Security across build, deploy, runtime. (n.d.).