The Ever-Present API Threat

Bottom Line Up-Front

Businesses are integrating API's at alarming rates with an increasing number of web-facing applications. Put this way, if third-party web applications are the doors that open to the highly sought-after user experience, API's (application programming interfaces) are the hinges that they swing on.

What does an API really do anyway?

So, picture this: you're at home, tired and hungry. And in the mood for takeout. But before you're able eat, you call someone (a runner), place your order, and they in turn retrieve said food on your behalf from a location of your choosing.

In this example, you, would be the organization's web-application, the runner is the API, and the order is your information. API's essentially are 3rd-party runners that retrieve information on behalf of web-applications. They assist in performing functions like profile-build outs, sending emails, providing banking information, and identifying user location.

Sounds great so far, right? Well, here is the thing; as API's continue to perform more and more critical business services, the graver and deeper the security risks become not only to the organization, but also to its customers, clients, and partners.

Threat Context

Cyberattacks involving API's as vectors began appearing on OWASP's (The Open Web Application Security Project) top ten list back in 2018. These attacks which involved data breaches and other security incidents featured high profile names like, T-Mobile, McDonald's, Salesforce, Instagram, Panera, and Venmo.

Personally identifiable information (PII) exposed in plain-text during these breaches and security incidents included:

• Customer Names

• Email Addresses

• Physical Addresses

• Date of Birth

• Debit/Credit Card information

API-based attacks by 2022 (just two years from now) "will become the most common form of attacks seen by security teams. Additionally, API's, as opposed to user-interfaces will account for at least 90% of the attack surface by 2021 - (Source: Gartner). With a majority of organizations (particularly those in the healthcare community) citing major concerns about the security of the web-application ecosystem, these three points should cause us all collective pause:

1. API- security is routinely implemented differently than web-application security.

2. API-security lags far behind other areas on the IT to-do list.

3. At least 66% of organizations rely on API's to deliver critical business services.

Where do we go from here?

First things first, you cannot protect what you're unable to see. That means that if you are running point on systems security, you need to know how many API's you rely on and for what. Secondly, you need a plan to credibly manage your API's. And lastly, if that plan does not include continuous monitoring, then we essentially are back at square one.

If you're new to cybersecurity, or just overwhelmed at this point by all that it involves, NMSG's got you covered. Our Cyber Risk Management solution will:

A) Posture your security architecture for success by identifying and remediating mission-critical API-related threats.

B) Develop a security plan that delivers a distributed, organization-wide defense strategy.

C) Maintain a secure operating environment with leading, industry-insight and awareness training.

Contact us today, and we'll get you squared away.