API security ‘arms race’ heats up

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

Enterprises are starting to catch on to the massive security risk that the pervasive use of application programming interfaces (APIs) can create, but many still need to get up to speed.

Poorly secured APIs have been recognized as an issue for years. Data breaches of T-Mobile and Facebook discovered in 2018, for instance, both stemmed from API flaws.

But API security has now come even more to the forefront with enterprises across all industries in the process of turning into digital businesses — a shift that necessitates lots and lots of APIs. The software serves as an intermediary between different applications, allowing apps and websites to access more data and gain greater functionality.

The implication of APIs in high-profile hacks such as the SolarWinds attack is also spurring more companies to pay attention to the issue of API security — though many still have yet to take action, says Gartner’s Peter Firstbrook.

“In most organizations, when I ask them who’s responsible for API security, there are blank stares around the table,” he said at the Gartner Security & Risk Management Summit — America’s virtual conference this week.

That needs to change, said Firstbrook, a vice president and analyst at the research firm. API security vendor Salt Security reported that its customer base saw a 348% increase in API-based attacks over the course of the first six months of 2021.

“APIs are an increasing attack point,” Firstbrook said. “The internet runs on APIs. There’s a huge need for API security.”

Momentum in the market

Still, there are signs that more customers are investing to secure their APIs, while the number of products in the space also continues to expand.

Salt Security, which was founded in 2016 and has offices in Silicon Valley and Israel, has revealed the names of numerous customers including The Home Depot, data center operator Equinix, and telecom firm Telefónica. To fuel its growth, the company has announced raising $100 million over the past year, including a $70 million series C round in May.

A newer entrant in the space, Noname Security, reports rapid traction for its API security product since launching it in February.

The startup already counts among its customers two of the world’s five largest pharmaceutical firms, one of the world’s three largest retailers, and one of the world’s three largest telecoms, said Karl Mattson, chief information security officer at Noname Security. The Palo Alto, California-based company has raised $85 million since its founding in 2020, including a $60 million series B round in June.

Other cyber firms with notable API security offerings include Ping Identity, 42Crunch, Traceable, Signal Sciences (owned by Fastly), and Imperva—which this year bolstered its API security platform with the acquisition of a startup in the market, CloudVector. Additional startups in the space include Neosec, which came out of stealth in September and announced a $20.7 million series A round.

But as evidenced by the Salt Security report on increased API-based attacks, while the defenders are ramping up around the API security issue, so are the attackers.

“It’s an arms race right now,” said Noname’s Mattson. “I think attackers are seeing that APIs are not overly complicated to attack and to compromise. And similarly, the defenders are rapidly coming to the realization, too.”

API exploits

The most frequent API-based attacks involve exploitation of an API’s authentication and authorization policies, he said. In these attacks, the hacker breaks the authentication and the authorization intent of the API in order to access data.

“Now you have an unintended actor accessing a resource, such as sensitive customer data, with the organization believing that nothing was awry,” Mattson said.

Firstbrook said that the API security aspects of the SolarWinds attack show how pivotal the issue really can be.

Through their implant in the SolarWinds Orion networking monitoring software, the attackers gained access to an environment belonging to email security vendor Mimecast, he noted. And Mimecast — because it provides capabilities such as anti-spam and anti-phishing for Microsoft Office 365 users — had access to the Office 365 API.

Through the Microsoft API key, the attackers gained access to the Exchange environments of a reported 4,000 customers, Firstbrook said. Mimecast, which published its report on the incident in March, declined to provide further comment to VentureBeat.

Ultimately, the incident underscores the need for a much greater focus on API security across industries, Firstbrook said.

“Part of the supply chain is built on APIs,” he said. “We really have to build a best practice around managing and understanding APIs, and securing APIs.”

VentureBeat

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Source: Read Full Article