The API Security Newsletter - Issue #19
Businesses have to accept the API security threat as real, and it’s time for all organizations to start taking a more proactive approach. By implementing these strategies, enterprises have the best shot at keeping APIs secure without stifling innovation.
By nature, APIs are vulnerable to exposing application logic and sensitive data such as personally identifiable information (PII), which makes them an easy target for attackers. Often available over public networks (accessible from anywhere), APIs are typically well-documented and can be quickly reverse-engineered by malicious actors. They are also susceptible to denial of service (DDoS) incidents.
In July this year, cybercriminals began selling the user data of more than 5.4 million Twitter users on a hacking forum after exploiting an API vulnerability disclosed in December 2021. Recently, a hacker released this information for free, just as other researchers reported a breach affecting millions of accounts across the EU and U.S.
The information appears to have been gathered using an Application Programming Interface (API) vulnerability, as first disclosed by a hacker on the HackerOne bug bounty platform (who received a $5,000 payment from Twitter), enabling the data to be scraped. "APIs allow computers to communicate with one another, and account for around 80% of all the traffic that traverses the Internet.
There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business. Why so? Because these myths are widening your security gaps. This is making it easier for attackers to abuse APIs. And API attacks are costly. Of course, you will have to bear financial losses.
Data and credentials at risk in the vertical
The volume of web application and API attacks detected over the past 12 months surged by 3.5 times year-on-year in the financial services sector, the highest of any vertical, according to Akamai.
A study 451 Research conducted in July for Noname Security’s 2022 API Security Trends Report showed that the number of APls in use had grown 201% over the past 12 months. In addition, 41% of respondents reported having experienced an API security incident, 63% of which involved a data breach and or data loss. In fact, Gartner has suggested that APIs will become the most frequent attack vector this year and that API abuses and related data breaches will nearly double by 2024.
API (security) related videos
Join API security experts from U.S. Bank, ActBlue, and Spotify for a lively discussion on The 3 Pillars of API Security: 1) API Governance, 2) API Security Testing, and 3) Run-time API monitoring. APIs have become a top concern for CISOs vulnerabilities have led to many high profile breaches. Securing these APIs requires finding and fixing the vulnerabilities and flaws as early as possible in the development cycle.
A Risk based Approach to API Security
"Hacking API Security" - Super Cyber Friday
One more thing
Bryan Cantrill's talks are always a great watch and this is no exception.
Once upon a time, an investor proposed a "college replacement" by gathering up 18 year olds in order to give them money in exchange for future earnings. It was not a particularly thought through take, but it spurred this talk, which is a particularly thought through take. And heart-felt. And poignant.
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).