APIs are now an integral part of many cloud services. But it is also a major target for attackers, so much so that it is now a major threat.
Titled “The Most Important Threats to Cloud Computing,” today’s Cloud Security Alliance (CSA) report is one of the best indicators of the effectiveness of cloud security measures. It’s released every two years, and the last one arrived a few weeks ago. Compared to the last release, perhaps the most amazing development has to do with the skyrocketing insecure interfaces and APIs. In 2017, insecure APIs ranked third, but by 2019 they had fallen to seventh. Except that this year, they jumped higher, to second place. So, what happened and what lessons can be learned to determine the best steps to take to secure the cloud?
The irresistible rise of APIs
First, the reliance on APIs has grown tremendously. As our web traffic analysis shows, we’ve gone from a web-based application infrastructure to an API-based infrastructure. Of the 2.1 billion transactions analyzed in the second half of 2021, 70% were made via APIs. And according to a recent report by the Enterprise Strategies Group (ESG), this trend is likely to continue. According to ESG, while 28% of apps and websites use APIs today, this number is expected to double over the next two years. APIs make it easy for developers to build cloud services, but they also provide access to highly sensitive data, making them a prime target for attackers.
The same ESG survey found that nearly a quarter of organizations experienced attacks on misconfigured APIs and a fifth experienced ATO (account takeover) and OWASP attacks, respectively. Weak points. This last point is particularly worrisome, given that 27% of these same companies have taken action to solve highly publicized OWASP issues. These attacks had significant effects. More than 40% of businesses experienced a downturn, affecting customers, brand and bottom line profit. 34% of companies reported negative customer experiences, 34% experienced a decrease in their market value, and 26% experienced a loss of revenue. There were also internal consequences: 41% of companies affected their employees and 38% had to deploy additional security products or services.
Tools and Techniques
All of this brings us to the second reason why APIs top the threat ratings, because they are very difficult to secure. Threatened actors take advantage of how APIs work rather than exploit a particular vulnerability, and perform what is known as a “Live from the Land” (LotL) attack. By exploiting standard applications and processes installed on the victim’s computer to hide phishing activities. Since there is no signature or rule violation, traditional security solutions struggle to detect this activity.
Despite this, many organizations rely on intrusion prevention systems (IPS), next-generation firewalls such as Web Application Firewalls (WAFs), or application security tools such as zombie mitigation. Rather, it is alarming that the ESG survey revealed that many companies were not aware of this fact and thought these tools were sufficient. This disconnect from reality is at the heart of the problem and makes APIs such a huge threat. Organizations understand that API security is a priority – it ranks on the same level as migration to the cloud, secure remote work/flexible work arrangements, and threat detection – but they are too confident in their existing security tools that they are vulnerable to attacks.
unified approach
So what can be done to handle API security more effectively? First of all, it is important to consider that API security must cover the entire API lifecycle. To do this, a strategic approach that focuses on security integration, from development to deployment to disposal, is necessary. For example, to reduce the risk of coding errors, a “turn left” approach should be adopted during development. It also requires constant research to discover APIs and prevent them from being created and forgotten. It also allows the team to have an overview of the APIs and resources exposed to the public. APIs still need to be constantly inventoried and tracked to ensure that they are properly configured and updated.
On the other hand, there is a need to move away from the monitoring of signature-based processes or policy associated with application security solutions to behavior-based processing. This is much better at detecting suspicious or malicious activity and can detect any risky API changes without affecting performance or disrupting API deployment. Finally, API security must also include active defense. APIs are often subject to automated attacks, which means that they can be thwarted by stealth tactics. Frustration, failure and fatigue serve to deter the most violent attacks. All of these elements come together to form a comprehensive form of Unified API Security, tailored to the specifics of the API and the cloud environment. Otherwise, in a couple of years, it wouldn’t be surprising to see insecure APIs find themselves at the Cloud Security Alliance’s Top Threat Summit of 2023…