Application programming interfaces (APIs) are a critical part of most modern programs and applications. In fact, both cloud deployments and mobile applications have come to rely so heavily on APIs that you can’t have either without an API managing components somewhere along the line. Many larger companies, especially those with a big online presence, have hundreds or even thousands of APIs embedded in their infrastructure. The growth of APIs will only continue to increase.
The ingenious thing about APIs is that many of them are just tiny snippets of code, and all are designed to be small and unobtrusive in terms of their network resource requirements. Yet they are also flexible and able to keep working and performing their main functions even if the program they are interfacing with or controlling changes, such as when patches are applied.
As amazing as APIs are, they also have their faults. Because they can be designed to do almost anything, from single functions repeated over and over to smartly controlling the advanced aspects of various programs or platforms, almost no standards govern their creation. Most APIs are unique, and many organizations simply create new APIs as needed. That can be a nightmare for security teams.
Another way APIs are attractive to attackers is that many are over-permissioned. Even APIs that perform only a few functions often have near administrator privileges. The thinking is that such a tiny API could not possibly do any harm. Hackers compromise APIs and then use those credentials for new purposes, such as data exfiltration or deeper penetration into a network. According to security research conducted by Akamai, nearly 75% of modern credential attacks targeted vulnerable APIs.
The problem is getting worse. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequently attacked vector across all cybersecurity categories.