Discover more from API Security Newsletter
The API Security Newsletter - Issue 25
Hi Everyone! Welcome to this 25th edition of The API Security Newsletter, as always I welcome any feedback via Twitter DM (https://twitter.com/filipv)
The challenge many cybersecurity teams are encountering is that many APIs have already been deployed, so the need to discover the number of API endpoints that need to be secured is still a significant challenge. It’s not uncommon for developers to have deployed a so-called zombie API that is no longer being supported but nevertheless can be accessed and manipulated by external threat actors.
The emergence of smart mobility services and applications has led to a sharp increase in the use of APIs in the automotive industry. However, this increased reliance on APIs has also made them one of the most common attack vectors. According to Gartner, APIs account for 90% of the web application attack surface areas.
Financial services companies are a favorite target for threat actors. Most of us are familiar with the Equifax and Capital One breaches that exposed hundreds of millions of customer records. But there are other attacks that don’t make the headlines. Over the years, the Carnegie Endowment’s FinCyber project has documented hundreds of separate cyber incidents impacting financial institutions around the world.
Cyberattacks can damage a firm’s reputation, disrupt business, and result in costly regulatory fines and legal settlements. (Equifax agreed to a $575 million settlement.) According to a 2022 IBM Security report, the average cost of financial services data breach is now $5.97 million, the highest of any industry other than healthcare.
Security pros know the importance of maintaining an inventory of APIs, staying abreast of the constant changes in risk landscape and monitoring for potential security exposures. But to truly become an API security expert, you need to think like an attacker, anticipate tactics and techniques and build in safeguards and countermeasures to mitigate risk.
We’ve already had the first major API-related cybersecurity incidents for 2023. The T-Mobile API breach exposed the personally identifiable information (PII) of 37 million customers. The API attack had been going on since November but was not discovered and disclosed until January 19, illustrating the threat of the “low and slow” approach of API attacks, which are increasing at a steady pace. Following research by Sam Curry that uncovered hundreds of API vulnerabilities in the automotive industry – from Mercedes-Benz to Nissan to Kia to Ferrari and more – it’s not surprising that 2023 has been dubbed “The Year of API Security.”
In the past year, several high-profile breaches resulting from API attacks are "just the tip of the iceberg," said analyst Dionisio Zumerle, vice president at Gartner. Many companies - including banks, which now have about 1 billion API calls a month for money transfer apps - are highly dependent on APIs, he said.
"What we have is a new way of exchanging information which is increasingly popular, and almost no organization has the recipe to secure that new way of communicating," he said. "The very first thing to do when you set up an API security project is to set, define and communicate the scope of the program and set expectations properly," he said.
No API is left untested through a unique ability to find and test every API based on understanding the application’s business logic, the company added. Developers are empowered with best-in-class usabilities, such as simple setup and automation, in-line test results and contextual guidance for request failure mitigation.
When Chinese government-backed hackers accessed the Microsoft Exchange server in 2021, they didn’t break through tough firewalls to access the network. They came right in through an open door.
Application programming interfaces, or APIs, are bits of code that allow different software applications to interface and “talk” with each other. Increasingly, hackers exploit vulnerabilities in these open portals to access sensitive data and wreak havoc.
In today’s world, almost all modern applications rely on APIs to exchange data and interact with external systems. With the increasing adoption of cloud computing, the usage of APIs has grown exponentially, making API security a top priority for organizations that want to protect their cloud-based applications. API security should be one of the first steps towards securing cloud apps because APIs are the primary entry point for hackers to exploit vulnerabilities in cloud-based applications.
One more thing…
On March 24 we lost an industry legend. In this ASML video, Gordon Moore shares his story about Moore's Law.
'Rather than becoming something that chronicled the progress of the industry, Moore's Law became something that drove it.'
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Noname Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).