Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services.

For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average of 25,592 APIs in place. That’s a massive attack surface, and threat actors know it.

It’s no wonder that the Salt Labs State of API Security Q1 2023 report revealed a 400% increase in unique attackers compared to the prior six-month period. Meanwhile, 54% of survey respondents named outdated/zombie APIs as their top concern.

The Zombie API Plague

A zombie API is an API (or API endpoint) that has been abandoned, forgotten or become outdated. These APIs no longer serve any purpose, or they have been replaced by newer versions. Organizations may fail to properly control the versioning, deprecation and removal of old APIs. And these zombie APIs can linger indefinitely.

Since zombie APIs are no longer maintained or updated in any way, they pose a significant security threat. They receive no patching, maintenance or security updates, making them highly vulnerable to exploitation.

As per the Salt Labs report, 94% of respondents experienced security problems in production APIs from Q1 2022 to Q1 2023. Another worrisome finding is that API-related incidents have seen a four-fold increase in unique attackers over the same time period six months ago.

According to the report, organizations previously relied on proper authentication to interact with an API. This was considered sufficient to deter attackers. However, 78% of attacks in the report came from seemingly legitimate users. In these cases, threat actors maliciously achieved the proper authentication.

Types of API Breach Events

In March 2022, a Hubspot API breach exposed the sensitive data of 1.6 million users. And in 2021, API security events included companies such as Peloton, John Deere and Experian.

Attackers use an API endpoint to access and exploit data. In some cases, attacks take advantage of poor coding. However, more sophisticated actors target business logic vulnerabilities. Either way, a legitimate API ends up opening doors to an enterprise’s sensitive data assets.

An API breach that involves poor coding can be exploited by hackers to gain unauthorized access to a system or steal sensitive information. Examples of poor coding practices include failing to validate user input and not properly sanitizing data.

A business logic weakness occurs when there is a flaw in the design or implementation of the system’s business rules or logic. This can occur when a programmer fails to consider certain scenarios or inputs that could lead to unintended consequences. For example, a system might allow a user to transfer funds without verifying that they have sufficient funds in their account.

In the Experian event, a researcher encountered a student loan lender site that checked loan eligibility for anyone who gave their name, address and date of birth. By examining the code behind the page, the hacker could see it invoked an API that allows lenders to automate queries for FICO credit scores. It turns out the Experian API could be accessed directly without any authentication. Entering all zeros in the “date of birth” field lets anyone pull a person’s credit score and other sensitive data.

In general, poor API coding practices are easy to identify and fix. API business logic weakness can be more difficult to detect and resolve because it involves more complex interactions between different parts of a system.

API Security Risks are a C-Level Concern

While the risk of a breach is a real concern, API security leads to other tangible impacts on businesses. For example, the Salt Labs survey revealed that 59% of companies have experienced application rollout delays resulting from security issues identified in APIs. The report authors point out that this high percentage illustrates the fact that even testing and security-minded code development cannot address all API security challenges.

Developers cannot anticipate every possible API-related business logic gap. And pre-production API testing tools cannot identify these gaps either. The impact of API-based risk on business has not gone unnoticed. In fact, 48% of survey respondents state that API security has become a C-level discussion.

Tighten Up API Security

API-specific security measures can include measures such as:

  • Token-Based Authorization: This allows third-party websites or applications to access user data without requiring the user to share personal information.
  • Transport Layer Security (TLS): Secures data transmission over a network to protect sensitive information against man-in-the-middle attacks like eavesdropping and data tampering.
  • User Registry Authentication: Enables authentication of users and securing APIs, including Lightweight Directory Access Protocol (LDAP) and authentication URLs.

Also, to thwart zombie APIs, you might try compiling and updating your API inventory. Given the thousands of APIs per enterprise, however, the task is daunting. As an aid, utilities exist that help find deprecated and removed API versions in your Kubernetes clusters. That way, any out-of-date APIs can be retired promptly.

Embrace Comprehensive Security

From a wider lens, a zero trust approach works by assuming that every connection and endpoint is a threat, including API calls. Zero trust protects against these threats, whether external or internal, even for those connections already inside.

In a nutshell, a zero trust network:

  • Logs and inspects all corporate network traffic
  • Limits and controls access to the network
  • Verifies and secures network resources.

Therefore, the zero trust security model ensures data and resources are inaccessible by default. Users can only access them on a limited basis under the right circumstances (least-privilege access).

A zero trust security model verifies and authorizes every connection, including when a user connects to an application. It also includes when software connects to a data set via an API. With zero trust, you can help ensure your organization stays safe from the scourge of API risks.

More from News

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3). Top Five Cyber Crime Types In the past five…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read