INTRODUCTION:

The meteoric rise of API technology

Recent years have seen an impressive adoption rate for APIs and major advancements in the field. APIs aren’t just a technological benefit; they have a direct positive business impact on various industries undergoing digital transformation. Research has found that more than 80% of organizations consider APIs a leading factor in digital transformation procedures

Last year, more than 65% of surveyed companies stated that they expect their use of APIs to grow. This figure is very likely to rise: In 2020, the COVID-19 pandemic further accelerated API adoption. The rapid pace of digital transformation during the pandemic led companies in many industries to turn to API technology.

APIs have also gained popularity with developers who implement APIs created by other businesses. This has led to more companies developing their own APIs as part of their development plans. More than 75% of companies use APIs, and nearly 60% created original APIs
in the last five years
.

The spike in API adoption isn’t a coincidence. Many companies have begun to realize the huge benefits of API use, which affects internal processes and business practices. We are about to see
a meteoric rise in the number of APIs being exposed by organizations.

The meteoric rise of API technology

The bright side: The benefits of API adoption

OPERATIONAL EFFICIENCIES

OPERATIONAL EFFICIENCIES

APIs facilitate seamless communication and offer enhanced interoperability. Organizations operating in complex industries enjoy the ability to use tools and systems that exchange information without the need to break down technical barriers. APIs join different pieces of the operational puzzle into one clear picture for everything involved, thereby improving productivity and efficiency across the organization. APIs further reduce costs by enabling the organization to focus on its core responsibilities rather than on developing in-house solutions for every function.

AGILE INNOVATION

APIs allow companies to enhance and expand product functionality in a fraction of the time, without having to venture into a costly project that may not succeed. APIs are a playground of possibilities, where developers can find the solution to practically any need. A culture of open innovation approaches challenges from the outside in, not the other way around. Realizing strategic objectives requires a much broader perspective on innovation and R&D.

CUSTOMER EXPERIENCE

CUSTOMER EXPERIENCE

The digital customer experience has been increasingly recognized by organizations as a source of loyalty and trust, resulting in a lasting competitive advantage. Reworking the customer experience is therefore a critical business imperative, ensuring consistency across all channels. For various industries, from banking to healthcare to retail to the public sector, organizations have adopted an API-driven approach to connectivity for creating state-of-the-art experiences for their customers in a flexible way.

BUSINESS OPPORTUNITIES

BUSINESS OPPORTUNITIES

APIs are the next frontier of business development. Organizations with well-developed APIs establish and maintain relationships in the endless digital economy. APIs make it possible for others to incorporate the data of your organization into their applications. Various organizations operate API partner programs that enable businesses to take advantage of the extended API solution, enjoy advanced support, and customize its features. These partnerships provide an instant competitive edge that could result in further collaborations between the API developer and the business that’s using the API.

The dark side: API attacks can reach anyone

Bad things happen to good people, and so do security incidents. As industries embrace APIs, they become increasingly vulnerable to attacks, putting their processes and customer’s data in jeopardy. 

Security breaches can have serious consequences. Attackers can lock company data and access to accounts; use employee and customer data for identity theft purposes; expose the company to regulatory fines; and cause significant damage to the organization’s reputation and users’ trust. 

In the past few years, we’ve seen some of the world’s biggest businesses and technology giants suffer the consequences of unprotected APIs. 

The message is clear: When an API is unprotected, no one is safe

APIs are opening up the world

However, as impressive the adoption rate for APIs is, it pales in comparison to what the future holds. Over the next decade, API adoption will be driven by two primary forces:

OPEN EVERYTHING

Open Everything largely refers to transformative digital initiatives and the shift towards open ecosystems. This is partly due to regulatory and competitive pressures, but also consumer demands and product ecosystems. It is the new expected standard, and APIs have a large role to play in this transformation.

MICROSERVICE ARCHITECTURES

Microservice architectures in enterprise software are becoming more and more popular. These architectures break down applications to their core functionalities, dividing them into services.  APIs help bring order to the essentially chaotic microservices architecture.

Open Everything

Many essential industries are advancing the adoption of APIs. Each one may present unique use cases, but the common element is increased information exchange, primarily user-related information, leading to its democratisation.

FINANCE:

FINANCE:

Open banking platforms allow financial services providers to simplify many procedures, including payments, investments, loans, and more. APIs enable financial companies to implement services like PayPal or Amazon relatively quickly and march their business forward. Open banking regulations, such as PSD2 in EU countries, require banks to provide APIs.

INSURANCE

INSURANCE:

APIs are critical to the development of open insurance solutions. InsurTech companies focused on digital solutions and traditional insurance companies find APIs useful to achieve operational efficiencies on a greater scale, improve customer experience and develop new products and services.

ADVERTISING

ADVERTISING:

Open banking platforms allow financial services providers to simplify many procedures, including payments, investments, loans, and more. APIs enable financial companies to implement services like PayPal or Amazon relatively quickly and march their business forward. Open banking regulations, such as PSD2 in EU countries, require banks to provide APIs.

HEALTHCARE

HEALTHCARE:

APIs are critical to the development of open insurance solutions. InsurTech companies focused on digital solutions and traditional insurance companies find APIs useful to achieve operational efficiencies on a greater scale, improve customer experience and develop new products and services.

AUTOMOTIVE:

AUTOMOTIVE:

APIs are critical to the development of open insurance solutions. InsurTech companies focused on digital solutions and traditional insurance companies find APIs useful to achieve operational efficiencies on a greater scale, improve customer experience and develop new products and services.

COMMUNICATION:

COMMUNICATION:

5G transforms the network from a mere connectivity infrastructure to a programmable platform that allows consumers and enterprises to create new applications based on collaboration. These advanced applications will revolutionize the way we interact with each other and the physical world.

PUBLIC SECTOR

PUBLIC SECTOR:

While APIs are still in their infancy in the public sector, they present many potential benefits: facilitating interactions between governments and businesses in relation to digital ecosystems, fostering innovation in government and related public services, improving operational efficiency, and improving public access to government open data.

RETAIL

RETAIL:

Retailers use APIs to create new business models that go beyond their original aim. With the growing popularity of online shopping, retailers had to create their own closed-door APIs to serve their customers. With open APIs, retailers can open their inventory and data to the world. Everybody can become an affiliate and query any product the retailer has in its catalog.

Common API Users and Industries

API Strategy: Where is your organization going?

Openness can be a transformative tool for a business, but also creates greater dependence on APIs for connectivity and the ability to serve customers in new ways. This makes the consistent and safe operation of APIs imperative to the success of the organization. But APIs are serving a variety of functions and use cases, leading to varying degrees of significance – and exposure. Here’s something that might clarify the significance of APIs to your business:

The concept is simple: the closer APIs are to business growth, the closer they are to the company’s competitive advantage, which is why more protection is necessary. 

As you work through this exercise, try to look ahead as possible. Your current situation might feel more tangible, but changes down the line may have a big impact of the role of APIs to your organization in a way that requires you to adapt now. 

For example, consider the product roadmap and R&D plans for next 12-24 months: Perhaps there are architectural changes planned, or there’s chatter about possible M&As which would require integrations, or there’s a big product launch planned later in the year. 

And what about regulation? And competition? And customer expectations? And sensitive data exposure? These things might seem far now, but preparing in advance can give your organization the confidence to run faster, take more chances – and win.

Risky business: The rise of functional attacks

With new technologies come new vulnerabilities, and APIs are no different. When dealing with APIs, API security is not the same as application security. The major difference lies in business logic, or functionality. Both apps and APIs have logic, but APIs externalize it more than applications. 

Modern services expose functions to create value for external services. As a result, every API exposes a business logic that serves a specific functionality (or set of functionalities). Things that were hidden inside an application become exposed by APIs, a fact which makes APIs more vulnerable to functional attacks targeting the expected API call flow. 

To better understand that, let’s take a look at the two major categories of API vulnerabilities:

The rise of functional attacks

While technical vulnerabilities for APIs are somewhat similar to those of web applications, API functional vulnerabilities are generally new and unique ones. Consider the following: Broken Authorization is the top-ranked vulnerability for APIs according to OWASP. It’s only fifth for apps. 

Today’s general-purpose security solutions, like Web Applications Firewall and Security Testing, detect known vulnerabilities and attack signatures. As API attacks exploit unique vulnerabilities at the application logic, existing security solutions are ineffective because they do not analyze the application behavior. 

API security professionals need to cope with these problems to stay on top of the game. 

For more on this topic. read our ebook Getting security testing ready for the API-first era

Vulnerability assessment: What’s under the hood?

For an attacker, every API you expose represents potential access to desirable data, presenting attackers with a new challenge: they must learn the API and devise clever attacks tatgeting the business logic in order to manipulate the application. 

To secure your APIs, you must understand them better than the attacker. What every function does, what are the flows, and what is an acceptable usage for users — and what isn’t. Cataloguing, monitoring, and testing are helpful, but where do you start? 

The first step to securing your APIs is to work hand-in-hand with dev to understand your APIs, generate visibility into their ongoing usage, and run a dedicated set of tests. Understanding the relationships between all APIs and endpoints will allow you to simulate attacks, and identify vulnerable areas where your API could be exploited. 

Here are the initial vulnerability assessment efforts you should consider focusing on, going beyond the API schema and testing as an authenticated consumer:

Type

Why is this important?

How can you simulate an attack?

Broken Object Level Authorization

APIs tend to expose endpoints that handle object identifiers (such as user ID), creating a wide attack surface for attackers to replace IDs and create Level Access Control issues.

1. Identify in the data an API call request which includes a sensitive data object. 

2. Manipulate that API call request by modifying the original value of the sensitive data. 

3. Repeat the previous step a few times with different values to simulate a scanning attempt.

Broken User Authentication

Flaws in API authentication may allow attackers to assume other API consumers or users’ identities

1. Locate JWT field in request headers.

2. Send a manipulated API call that changes the value of the header:

• To a random string

• To Basic authentication • Without the header

Rate limiting

Lack of restrictions on the size or number of resources that can be requested by the API consumer may lead to Denial of Service (DoS), Data leakage or Brute force attacks.

1. Send packets from specific consumer at a (much) higher rate than usual

2. Especially focus on login, authentication and user requests endpoints.

Improper Assets Management

Lack of proper API assets management allows attackers to gain access to old or non-production APIs, unpatched API endpoints or testing environments. This can result in access to sensitive data, unwanted actions and even server takeover.

1. Locate an API with the version inside the URL, manipulate the version to different values and send (wait for 10 minutes for the aggregation to finish).

2. Change the method of API calls to one that does not exist and send.

3. Manipulate an API call with unknown consumer value and send.

Business process

Lack of business process analysis of the API allows attackers to manipulate the functionality of the API to execute fraud

1. Identify an API call in which there is a relationship between data objects (within the Req or between Req and Res.).

2. Identify the type of relationship (key or value).

3. Build a modified API call in which the identified relationship is violated and send to the service.

One important thing you need to consider: The above testing process should be handled in a systematic manner to ensure comprehensive coverage. If you want to understand your APIs better than the attacker, you should know (and test for vulnerabilities at) all endpoints and every field. The above list is not exhaustive, but it covers the most prevalent types of vulnerabilities – and the ones that can have the biggest impact in case of a data breach or API abuse. 

 For more on this topic, read The CISO’s Guide to OWASP API Top 10

Metadata to data analysis: A new approach to API security

Modern architectures are decomposing applications to their core functionalities. Functionalities that were once hidden and secure inside an application now have direct access as API to users, consumers and partners. The functionality is unique, and so are the weaknesses. 

Application security solutions focused on imposing policies based on the type of traffic detected may block technical manipulations, but they have little value when it comes to a legitimate user trying to access the resources of others. When it comes to functional attacks, they can’t handle the specific functionality of the API. 

Analyzing only the metadata of web traffic is no longer sufficient. To truly protect an API you must gain intimate understanding of the complex relations and flows. This kind of modelling can be achieved by shifting focus from analyzing metadata to the data itself: the API transactions.

piramid A new approach to API security

Knowing the application behavior allows for detailed behavioral models of API functionality. By modelling the application behavior based on API data, security and development teams are equipped to enhance security through API-specific protection. 

These models enable automatic detection of anomalous activity and inconsistencies, providing a unique advantage in mitigating attacks on APIs – both in production and staging environments.

Goodbye blind spots: Improving your API security posture

six things to consider

Imvision

Give every API the protection it deserves

APIs enable digital interactions between people, businesses, and machines. It’s like a conversation: there’s syntax, sequence, context, and structure. An API’s behavior may vary significantly, but it will be predictable and persistent. For every question (request) there’s an answer (response).

This is why Natural Language Processing (NLP) is the best approach to analyzing API data. 

By modelling API interactions as dialogues, we can uncover the business logic. API data elements are translated into a unique language that can be explored by algorithms using NLP capabilities. The business logic is reflected in multiple ways, such as the complex relation between objects in each API call, or the dependency between elements in different layers of the hierarchy of the data.

Functional API security: a holistic approach

Imvision utilizes NLP to learn the API functionality. Once in-depth, granular behavioral models are learned, it becomes possible to automatically detect anomalous activities, investigate them and block breaches. 

For example, Imvision’s algorithms use an NLP ranking scheme to assess a particular term’s value based on its frequency and determine its importance in terms of security. This scoring mechanism helps pinpoint the location of sensitive fields much easier and more accurately. 

With Imvision, enterprises are set to accelerate their digital transformation by making sure every API is individually protected and every API call is scrutinized – no matter how many there are. It’s about making sure that every interaction between people, businesses, and machines can be trusted.

If you want to hear more then Schedule a Meeting Now