September 17, 2020

Why Are APIs Important?

By Felicia Haggarty

Data Theorem

Without APIs there would be no cloud computing, social media, nor Internet of Things. APIs transfer data across a full stack application and throughout the internet; they are the glue that keeps digital transformation and innovation intact and progressing forward. According to a Gartner report, web applications already have 40% of their attacks come through APIs instead of user interfaces. Analysts also predict that this number will increase to 90% in 2021. 

1. They help expand the business.

2. They streamline processes.

3. They make life easier for developers.

But APIs also comprise a vast and constantly-expanding attack surface. APIs are most frequently the source of data breaches and leaky data. With all of these microservices, there is a lot of code being slung into the cloud or to web apps, and it is difficult to inventory, assess risk and secure. APIs essentially provide a treasure map for hackers that they can use to help them find the most vulnerable attack vector for data exfiltration.

Before approaching API security, the biggest question we need to ask ourselves is “What is the process for discovering new or changed APIs or microservices? Can we comfortably say we know where all our APIs are?"

As more companies expand digital routes to market, developers are gravitating to new easy to use and scale cloud platforms to deliver new features faster than ever before.  Security teams are now faced with new challenges to manage and protect these new service-based application architectures built complete on the public internet. Traditional approaches, like the previously utilized data center firewalls or WAFs can now be circumvented, this creates a forcing function for leaders to re-evaluate their entire security program focusing on the application layer vulnerabilities at their core . 

API discovery can change everything about a company’s approach to application security. It is the first step in visualizing your entire application attack surface  Not only are APIs continuously added to an application, but oftentimes they are consumed and utilized from third-party developers and open-source libraries. For a best-in-class security strategy and approach, there needs to be 24/7 awareness of every API being utilized and all client data being processed by these APIs at every layer of the application stack.

For example, mobile applications will typically include twelve to eighteen third party SDKs. This means that a typical mobile application will need to be continuously scanned statically and dynamically for issues within both the native code as well as third-party open source and commercial SDKs.  Since APIs can be called from anywhere in your application stack to access data, powering your mobile app to perform as a single vehicle for multiple users,  they simultaneously provide single entry points to this sensitive data that is stored throughout your stack. Most companies purchase mobile app scanners or hire consultants to do a quarterly audit to find vulnerabilities and that is not enough to track daily API vulnerabilities until it’s too late.

Similar to mobile applications, traditional web app scanners lack the ability to add security insights to Single Page Applications (SPAs) because of the dynamic and real-time rendering nature of the SPA architecture. They do not know how to see the API data transport layer that makes these new web app architectures so popular with modern developers.

Companies need to be armed with a deeper level of inspection to understand if authentication, authorization, availability, and encryption are working as they should from a security evaluator perspective. This is essential in industries that are heavily regulated and store very sensitive data, like healthcare and finance. APIs are all about connecting and collaborating to share information, but care needs to be taken to ensure that sensitive data is not left naked on the internet via public-facing mobile, web, and cloud applications.

Schedule a custom report to reveal your current application security posture: www.datatheorem.com/demo

Follow Data Theorem for AppSec guidance and offerings: www.twitter.com/DataTheorem www.facebook.com/DataTheorem www.linkedin.com/company/datatheorem