Just about every app uses an application programming interface (API). From a security standpoint, though, APIs also come with some common problems. Gartner predicted that API abuse will be the most common type of attack seen in 2022. So, what problems exactly do APIs face? And what can data security defenders do about it?

Prevalent API Risks

In 2019, OWASP named 10 web app data security risks to watch out for. These include:

  • Data exposure: This type of threat arises when developers expose all the properties of their objects without considering how private those items might be. Therefore, it’s up to clients to perform data filtering before displaying anything to a user.
  • Security misconfigurations: These data security weaknesses take on various forms, including misconfigured HTTP headers, error messages containing sensitive info and exposed cloud storage. Oftentimes, they’re a product of insecure default configurations.
  • Injection: In this case, a command or query sends untrusted data to an interpreter. Attackers can use those types of flaws to fool an interpreter into running malicious code or commands involving sensitive data.
  • Insufficient logging and monitoring: Both of these data security risks can provide attackers with chances to hide within their network unnoticed. From there, threat actors can scope out the network, move to business-critical assets and exfiltrate data.

The Effects of Data Security Risks on Business

Issues involving APIs didn’t hold businesses back just in terms of their plans to roll out new apps. They also cost time and resources if an attack does happen.

This happened for a lot in 2020. As noted by Salt Security, 91% of respondents’ employers suffered at least one API problem over the course of the year. Of those respondents, more than half (56%) had upwards of 55 API-related data security incidents a month during that period. Meanwhile, 22% dealt with as many as 200 monthly attacks.

The onset of a new year didn’t put an end to these API troubles, either. Here are several API incidents that made headlines in the first six months of 2021:

  • In February, researchers found that all of the 30 health care apps they studied were at risk to API attacks. They also learned that the apps exposed 23 million users to potential threats.
  • An API tool used by one of the major credit bureaus exposed the credit scores of almost every American. The tool enabled someone to perform a credit check through the credit bureau using only public information.
  • Another API problem involved a popular stationary bike manufacturer. A researcher found that they could make unauthenticated requests to the company’s API for user account data. That weakness enabled the researcher to access other bike owners’ information.

How to Improve API Data Security

The cases discussed above highlight the need for businesses and agencies to secure their APIs going forward. One of the ways they can do that is by always using SSL and TLS certificates. Using valid certificates with APIs can help protect data exchanges with encryption. This will empower defenders to protect apps against man-in-the-middle attacks aimed at exposing users’ information.

Following that, optimize firewalls. These are essential for helping control the flow of information enabled by APIs. Revoke whatever data security rules are too permissive for the apps’ needs. This will likely require first reviewing firewall rules and network objects to learn about the specific business or agency’s API usage.

Finally, businesses and agencies need to implement proper authentication and authorization of their clients. They can consider using protocols to limit the access that third-party apps can gain to an API. Doing this can help prevent too many parties from accessing and sharing too much.

Don’t Forget About Your APIs

Security models for APIs have not kept up with modern networks that are, more and more, borderless. These frameworks have failed to uncover vulnerabilities involving their APIs. As such, API breaches, like those discussed above, are becoming more common.

By keeping an eye on APIs, businesses and agencies can begin to formalize their API data security efforts. By doing so, they can stay current with a threat landscape that’s moving towards more and more API attacks.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today