Application programming interfaces (API) have become an inextricable pillar of the digital world – but come with inherent risks that must be addressed.
APIs have long been the easiest way for applications to interact with one another, especially as platforms have become fragmented across a diverse range of services and vendors.
They help developers request services from an operating system or other applications and to access platform-specific data. But if misconfigured or improperly monitored, APIs can also open businesses to takeover by threat actors, malware, or data exfiltration.
Leaders seeking to implement APIs should be aware of the biggest risks associated with them and how these can be mitigated.
1. Unchecked openness
Due to the nature of their function – sharing data with other applications – APIs naturally provide an additional point of exposure that needs to be protected.
The publicly accessible nature of API documentation, which is shared so other developers can integrate their technologies, can be a double-edged sword. Hackers can also access the documentation, looking for ways to exploit vulnerabilities within the code.
Poorly-secured APIs can help attackers leak sensitive data, while unpatched APIs containing known vulnerabilities can act as open doors for data breaches. The data breach at Optus in 2022, which led to 10 million user records being put up for sale on the dark web, was due to poor authentication and authorization protocols within APIs.
The recent Trello data breach was also achieved by abusing APIs, with the hacker behind the attack bragging on the dark web that they had discovered a Trello developer API endpoint accessible without authentication, through which they could search for user information via email addresses.
2. Rapid growth of API traffic
One of the key challenges for today’s API security is the amount of traffic that needs to be monitored and managed. It is estimated in Imperva’s State of API Security in 2024 report that API traffic constituted over three-quarters (71%) of web traffic in 2023.
The sheer volume of API traffic offers malicious actors more potential targets to attack. Almost half of all account takeover attacks are focused on API endpoints. According to the same report, over a quarter of distributed denial of services (DDoS) attacks on APIs focused on financial services organizations, which are typically the most targeted industry for this method of attack.
3. Automated attacks and business logic abuse
For enterprise sites, the average number of API requests – the message sent to a server asking an API to provide a service or information – has risen to approximately 1.5 billion per year, per Imperva’s report. It can therefore be challenging to detect anomalous API activity, due to the sheer volume of API traffic.
The increased use of applications and API requests has inevitably led to a rise in automated attacks on APIs. These automated attacks are especially dangerous, as they mimic normal API activity, meaning that attacks may remain undetected for several weeks or months before their presence becomes known.
Similarly, business logic abuse (BLA) occurs when automated attacks exploit the functionality of APIs for nefarious purposes, such as for extracting sensitive data or disrupting critical applications.
One viable protection against automated attacks is API monitoring, which is used for detecting runtime attacks, such as data scraping. These operate autonomously in the background, monitoring API activity and flagging unexpected behavior. Any unusual activity that is detected can be reported for review or immediately stopped, pending a review by administrators.
4. Shadow APIs
Any one organization could rely on many hundreds of APIs across their tech stack, so tracking all of them can be a challenging task. Gartner says this number is set to grow even more as generative AI and large language models (LLMs) become more popular, with 30% of all API demand growth driven by AI by 2026.
Lack of awareness of the APIs across a network’s architecture is also a potential vulnerability, presenting similar risks to shadow SaaS or shadow AI.
Meanwhile deprecated endpoints, otherwise known as broken object-level authorization (BOLA), heighten potential risks. When APIs fail to have the proper authorization at object level, malicious actors are able to access unauthorized resources by escalating their privileges within a system.
A role-based access control (RBAC) system can be used to mitigate this risk by defining access permissions roles within applications. Contextual authorization mechanisms can also be used to consider a user's location, device, and time of access, in order to determine the appropriate permissions.
Server-side request forgery (SSRF)
Malicious attackers can also manipulate servers into initiating API requests for resources that should not be accessible. Attackers can therefore bypass network boundaries and access internal resources that would be otherwise restricted. This can lead to data exposure, unauthorized actions, or further exploitation.
Network segmentation and access controls can limit the accessibility of internal resources, thereby mitigating the risk of SSRF attacks. Similarly, secure libraries and frameworks can provide protection against this vulnerability.
The foundation of API security
There is a maxim within security that you cannot protect what you cannot see – this is especially true of APIs. API discovery solutions can be used to maintain a complete inventory of all APIs. By continuously operating in the background, it will update as new APIs are deployed and existing ones become redundant.
Not only does there need to be awareness of the APIs, but also of how they operate. By tracking and classifying all APIs, organizations will be able to identify sensitive APIs and protect those that are the most at risk. This should be combined with risk assessments focused on API endpoints, especially for those vulnerable to broken authorization and excessive data exposure.
Web application firewalls (WAFs) lack situational awareness when defending against API-specific attacks. Advanced bot protection can be used to identify malicious automated traffic seeking to exploit API vulnerabilities.
For the processing of sensitive data, an air-gapped network that does not connect with the wider internet would mitigate many risks. However, it would also prevent the APIs from connecting with third-party services and platforms, limiting functionality and usability.
Despite their vulnerabilities, API endpoints have become a new front within cybersecurity, due to their business necessity. A robust API security policy that addresses the potential weakness of the endpoints means that organizations can operate effectively whilst protecting their data.
