The API economy has witnessed remarkable growth, with API calls now constituting over 80% of internet traffic.
This trend reflects the global adoption of APIs, enabling digital services and data exchange to generate value for businesses and society alike. From cloud-native architectures to enterprise code, APIs are pervasive and underpin many transformative technologies, including AI, machine-to-machine communications, and software-defined paradigms.
It may surprise you to learn that API calls now represent over 80% of internet traffic today! This is reflective of our globally growing API economy which facilitates digital services and data exchange through APIs to generate value for business and increasingly society too. APIs apply everywhere - from microservices and cloud-native architectures to command-line tools and enterprise code.
Catalysts for this API traffic surge include the acceleration in digital transformation across verticals. Notably cloud and edge adoption are primary drivers as everything moves closer to where data is generated and consumed. Let’s not overlook the growth in machine to machine communications, AI innovation, system automation, software defined paradigms, and the rise of low-code tooling to support both programmability and connectivity too.
API benefits include faster integration, shortened developmental life cycles, and can accelerate time-to-market. This has resulted in more agile innovation, higher quality feedback loops, sustained customer loyalty and a superior competitive advantage for organizations that leverage APIs. With data living everywhere, a solid API strategy is fundamental to help facilitate the holistic end-to-end process of insight driven transformation. Additionally, at a time when ‘doing more with less’ is fast becoming a global clarion call across sectors, APIs are a superb asset for leveraging the very most from your existing technology too.
Additionally, at Mobile World Congress 2023 Barcelona, the largest and most influential connectivity event in the world, the criticality of APIs was centre stage. I saw first-hand the launch of the Open Gateway – a foundation of open APIs that is designed to facilitate the work of developers whilst also catalysing a new revenue source for operators too. More on this milestone event here - and to come live from MWC23 in Las Vegas in September GSMA
But today’s growing API economy has also been making the news for other reasons. Bad actors are exploiting vulnerabilities within API infrastructures that do not focus on encryption, authentication and authorization and when you consider that organisations of enterprise scale have on average 15,564’s API’s each, the dependency and impact potential is clear to see. Indeed, Noname Security finds this rises to a staggering average of 25,592 APIs in place for large enterprises, here meaning organisations with over 10,000 employees.
Drilling into this threat vector further, a recent <>Gartner report put API Security at a ‘tipping point’ following the rise of API attacks in the hybrid work transition post pandemic, with our evolved ways of working and the explosion in development for more applications and service APIs – which resulted in an evolution in tactics from bad actors too! Putting the scale into context, Noname Security research finds that 3 out of 4 senior cybersecurity professionals in the UK and the US report that their organization has experienced at least one API related security incident in the last 12 months – this study is freely available here. Additionally, new insights from Akamai reveal that 1 in every 5 attempts to gain unauthorized access to user accounts is now achieved via API interfaces vis a vis user-facing login pages.
Recent risk examples include the attempted ransomware attack on Twitter in January 2023 with threats to release an eye-watering 235 million user records, alongside the T-Mobile, Experian API and Log4j vulnerability incidents. Additionally, as recently as July 2023, the US Patent and Trademark Office (USPTO) disclosed an API-related data security incident involving domicile information in trademark filings between February 2020 and March 2023. A superb resource from OWASP regards the leading API security risks in 2023 in available here. Taking this all into consideration, it is no wonder perhaps that Corsha recently identified that some 86% of organizations are spending up to 15 hours a week provisioning, managing and dealing with API challenges.
So what are the key challenges and areas of disconnect underpinning this? As possibly today's most misunderstood cybersecurity threat factor, this is an area I had the pleasure to discuss in a Tomorrow’s Tech Today podcast special live now here. I am joined by Karl Mattson, CISO and Filip Verloy, Field CTO, both at Noname Security which works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing.
When we reflect on this rapidly evolving security threat vector, it’s important to consider holistically and start from the beginning – API creation. Here we see limited standards and with many also being unique standards too, the propensity to contain vulnerabilities is clear to see, negating the secure consumption of APIs and therefore their all-important scalable adoption and monetization. When it comes to API development, gaps include lack of rate limiting for authentication attempts and lack of focus on the error responses given by APIs for failed login attempts which can then leak user information, additionally Security Misconfiguration is a common exploit category.
In the podcast we discuss the rapid rise in API security incidents, across a variety of reasons including Authorization Vulnerabilities, Web Application Firewall, Sprawl and Dormant/Zombie APIs. We also explore differences by vertical, and expanding on this further, here are a couple of examples from different sectors. First, is the steep rise of automated attacks such as credential stuffing that are targeting APIs within financial services where use and adoption is not only accelerating, but in many cases, actually catalysed by regulatory requirements such as the EU’s revised Payment Services Directive (PSD2).
And as an alternative example, lies the challenges of more legacy-based sectors such as manufacturing, energy and utilities, which are also increasingly being targeted as explored here and heralds the rise of new risks, for example the move from malware to kill-ware. Indeed, the Noname study found the top two industries reporting API security incidents are Manufacturing (79%) and Energy & Utilities (78%). Additionally, once compromised, it is relatively straightforward to change an API’s functionality, making it the renegade insider that turns to work on the side of the intruder – it's imperative to make the invisible visible in regards to this evolving threat!
Holistic visibility of your infrastructure is critical. Knowing exactly what is calling your API is key to protecting your mobile channel from scripts and bots, ensuring only genuine mobile app instances can use it. Indeed, Noname Security research found that 74% of respondents have not completed a full inventory of all APIs in their systems, or lack a comprehensive knowledge of which ones could return sensitive data. This was especially true in highly sensitive verticals such as healthcare and financial services. Noname Security research identified the most common cybersecurity gap to be dormant APIs, ones that have been ostensibly replaced yet do remain in operation.
Additionally, deploying edge protection, ensuring data encryption in transit and at rest (especially to negate security misconfiguration issues) and employing always-on monitoring, alerting and reporting is key – indeed, community knowledge sharing is an imperative to improve collective cyber threat intelligence. Performing regular incident response and disaster recovery exercises alongside regular penetration testing to identify vulnerabilities, security gaps and flaws is also highly recommended.
‘You can design an API you believe to be super secure, but if you do not test it, then a cyber-attacker or bad actor somewhere will do it for you’. Sally Eaves
Education also has a vital role to play and supporting this please see this recommended freely available training course by Corey J. Ball at the APIsec University which covers tools and techniques for analysing, testing, and identifying API security issues including lab setup, API reconnaissance, endpoint analysis, scanning APIs, API authentication attacks, exploiting API authorization, testing for improper assets management, mass assignment, server-side request forgery, and injection attacks. Additionally, an excellent resource on API vulnerabilities and how to address them is available here.
Governance is also equally critical. The EU has introduced the NIS2 Directive which is designed to build-in a high common level of cybersecurity across the region, recognising its criticality to ensuring the stability and resilience of its economy, society, and democracy. From an API perspective, compliance necessitates a holistic and comprehensive API security program including measures across authentication, authorization, encryption, monitoring and ongoing management. Additional regulatory considerations include the EU Cyber Defence policy, EU Cyber Resilience Act and Digital Operational Resilience Act (DORA). An excellent resource on the implications of NIS2 is available from Noname Security here. And as reminder, for more on this dynamic field, don’t forget to check-out the Tomorrow’s Tech Today podcast here with Karl Mattson, CISO and Filip Verloy, Field CTO of Noname Security –
All feedback and follow-on questions are most welcome!
Many thanks, Sally
A highly experienced chief technology officer, professor in advanced technologies, and a global strategic advisor on digital transformation, Sally Eaves specialises in the application of emergent technologies, notably AI, 5G, cloud, security, and IoT disciplines, for business and IT transformation, alongside social impact at scale, especially from sustainability and DEI perspectives.
An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.
Dr. Sally Eaves is a highly experienced Chief Technology Officer, Professor in Advanced Technologies and a Global Strategic Advisor on Digital Transformation specialising in the application of emergent technologies, notably AI, FinTech, Blockchain & 5G disciplines, for business transformation and social impact at scale. An international Keynote Speaker and Author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations in 2018 and has been described as the ‘torchbearer for ethical tech’ founding Aspirational Futures to enhance inclusion, diversity and belonging in the technology space and beyond.