Merely put, APIs (brief for software programming interface) are how machines, cloud workloads, automation and different non-human entities talk with each other. In addition they characterize an entry level to extremely delicate firm knowledge and companies. Nearly each group makes use of these machine interfaces, and their utilization is simply rising as a result of they’re important to digital transformation and automation initiatives. Machine identities and APIs are intently related as a result of any programmatic interface accessing vital knowledge or protected companies wants an identification, reminiscent of a password, API key or one other secret.
Whereas important and prevalent, APIs are potential assault vectors when not correctly protected through machine identification security greatest practices. They are often exploited to reveal delicate knowledge (e.g., buyer lists, personally identifiable info (PII) and bank card particulars) whereas enabling application-to-application communication.
How cyber criminals abuse and exploit APIs
Cyberattackers are continuously trying to steal and compromise the highly effective secrets and techniques that permit machines to run APIs because the stolen machine identification. By doing so, they will assume the identification of no matter had that secret and use it to realize extra entry and privileges to succeed in their aim. Alongside the best way, they may, as an example, allow a script or a person to cease or begin a digital server, copy a database and even wipe out whole cloud workloads.
Happily for attackers, builders underneath stress to maneuver shortly typically take shortcuts, reminiscent of hard-coding API keys and different secrets and techniques. Take the Uber breach reported in 2022 for example: the attacker discovered and used hard-coded secrets and techniques embedded in a PowerShell script to realize high-level entry and escalate privileges.
Since many security groups view API security as a code challenge, they might not know what number of APIs and API secrets and techniques exist inside their group, the place they’re positioned or how they’re used. A 2023 Ponemon Institute examine, “The Rising API Safety Disaster: A International Examine,” reveals that greater than half of IT and IT security professionals say it’s difficult to find and stock all APIs. The various third events related to a corporation’s APIs exacerbate this problem. And as attackers shift left into software program improvement and testing environments, insecure API design and performance considerably improve software program provide chain dangers.
These elements could also be why organizations are solely assured in stopping 26% of API assaults and consider that solely 21% of such assaults will be successfully detected and contained, in accordance with the identical Ponemon examine. As API entry to crucial assets continues to sprawl, it’s time for security to vary how they give thought to APIs.
High API identification security dangers
Most of as we speak’s high API security dangers relate to identification. But, crucial identification security controls in lots of organizations, together with least privilege enforcement and steady monitoring, solely cowl human customers. Which means that secrets and techniques utilized by purposes, scripts and different machine identities – that outnumber human identities 45:1 – are uncovered. Attackers can “hook” API keys and different secrets and techniques by means of phishing assaults, discover them embedded in purposes, automation scripts and DevOps instruments and steal them from public repositories like GitHub to entry delicate firm property. Synthetic intelligence (AI) developments have made it even simpler for cybercriminals to automate and scale identity-based assaults.
The Open Net Software Safety Undertaking (OWASP), a acknowledged trade supply for software program security analysis, highlights some latest urgent API identification security points in its 2023 API Safety High 10 listing, together with these outlined beneath.
OWASP
Simplify API security with centralized secrets and techniques administration
Ahead-looking organizations are working to know how digital enterprise traits affect their security practices and transfer towards a Zero Belief mannequin. As a part of this, they view human and non-human identification security as equally vital. They’re tackling secrets and techniques administration challenges by centralizing and automating how purposes, DevOps and automation instruments use API keys and different secrets and techniques to entry databases, cloud environments and different delicate assets. With this method, they solely have one program to help however can achieve the total visibility, audit trails and coverage enforcement capabilities they should guarantee nothing falls by means of the cracks.
Firms we work with have additionally seen how centralized secrets and techniques administration simplifies how improvement and security groups defend purposes, CI/CD pipelines and the software program provide chain. They’re doing this with out-of-the-box integrations with current instruments and platforms in order that duties like secrets and techniques rotation, audit and knowledge assortment robotically run within the background with out impacting developer workflows.
Correctly securing APIs and different non-human identities is crucial for enterprise. Organizations that do it proper will likely be higher positioned to defend in opposition to cyberattacks, drive operational efficiencies, fulfill audit and compliance necessities and allow innovation.
For extra info, learn Preview! Id Safety for Software program Growth (O’Reilly)
