API Security is one of the Fastest-Growing Segments in Cybersecurity
Application Programming Interfaces (APIs) present a significant security threat to enterprise data and this niche has become one of the fastest-growing segments of the cybersecurity industry, according to industry analyst and researcher Richard Stiennon, Chief Research Analyst at IT-Harvest. Stiennon, who founded IT-Harvest in 2005 to cover the 2,850 vendors that make up the IT security industry, has observed substantial growth in the API security market in the past year. As enterprise security teams move to target this specific threat to their data, the API security sector continues to see dramatic increases in both revenue and number of product offerings.
APIs generate phenomenal amounts of traffic, and the API economy is showing no indication of slowing. “It is a truism in cybersecurity that a technology does not take off until threats cause pain. As the API economy becomes more dominant and practically every app uses APIs to communicate data, there are increasing attacks against API data exchanges,” said Stiennon.
API security is increasingly in the news, mainly because some major data breaches have been due to weak API security. For example, recently there was a huge data breach at Optus, an Australian telecommunications company that resulted in a data leak of over 10 million subscribers through an API that was accidentally exposed without any kind of authentication mechanism. It's a simple, easy mistake that can happen anytime. You have to be right all the time; your attacker has to get lucky only once.
API industry grew 33% so far in 2022
Stiennon presented findings from his third-quarter report on the direction of the API security industry. His report, “Q3 2022 Not Too Shabby for API Security,” states, “Looking at one of the fastest growing segments, API security, in detail, there are 27 cybersecurity companies that focus on API security. Of those, 21 grew in headcount in the summer months July-September. Total growth for the segment was 6.2% for the quarter and 33.2% for 2022 so far. This follows a year of 60% growth in 2021.”
Why the significant growth? The reason is simple: APIs are ripe and juicy targets for cybercriminals, and loaded with attack traffic that is invisible unless you have effective API security. APIs now consume as much as 60% of all internet bandwidth, but many of them have weak security architecture, which opens the door to data breaches, ransomware, malware, DDoS attacks, and other cyber threats.
Webinar on The Latest Trends in API Security
In a recent webinar, Stiennon recently interviewed Resurface Founder and CTO Rob Dickinson to discuss how APIs are being exploited and how to stay ahead of the attackers.
Not surprisingly, attackers can make a lot of money on API exploits by stealing and reselling data. And the attacks are not expensive to carry out. In recent years the threat actors have become very sophisticated in their knowledge and skillsets to locate API mis-deployments (aka mistakes) and launch attacks against API targets. Threat actors are impersonating users, taking over user accounts, and sometimes signing up as paid customers.
Factors contributing to the exploitation of weak API security architecture
One major problem is the fact that many enterprises commonly don’t know how many APIs they have or which ones are dormant. Their APIs are like black boxes, leaving enterprises with a problem: they can’t protect what they can’t see.
There is no longer any sense of the “one trusted client interface,” because some APIs are open to do business with any client, which opens the door widely to attacks. In some sense this is democratizing and empowering, but from a security perspective you’re losing the ability to enforce on the client side.
When you deploy something into a cloud, you're putting your API into a public space, which makes you very exposed. Those attackers can show up immediately; we have set up honeypot operations to find attackers, and they show up within about 30 minutes. When you reach some level of success or notoriety, the attackers will show up before your customers do.
With APIs, it is too easy to find the access key. The potential universe of attackers includes employees, customers, and partners. The nightmare scenario occurs when an attacker signs up as paying customer and uses their valid account to go right through your firewall, through the authentication layer and directly to some privileged escalation attack. These kinds of attacks are hard to detect.
Organizations lack actionable telemetry on what their APIs are doing; how often they are attacked, how are they being attacked successfully, understanding inputs and outputs of the system. Companies must improve their visibility, detection, and response. Users must be validated before they reach a company’s applications and can compromise data security.
Looking beyond API gateways and WAFs
To safeguard their data, companies must acknowledge the weaknesses of APIs, and look beyond traditional perimeter measures such as API gateways and WAFs. Although those tools play a crucial role in API security, they can give only a false sense of true API security.
For several years in his previous company, which specialized in web observability, Dickinson noticed that many companies were using their web observability technology to monitor their REST APIs and SOAP APIs. Dickinson launched Resurface in 2019, to provide runtime API monitoring that enables organizations to discover what APIs they have, score their API traffic, and set up remediations to different APIs. Our platform helps companies inventory their collection of APIs and then easily set policies and automated workflows so that their security organization can respond most effectively.
We are unique in the market because we focus on first-party deployments, and our solution collects the data in the customer environment — there are no data collection agents — so the customers never have to worry about their data moving.
There is no doubt that cybercriminals are exploiting APIs and that enterprises suffer from the lack of visibility into their API traffic. Schedule a demo today to learn what you and your team should do now to mitigate risk.
