Is API Usage Putting Your Organization Out of Compliance

By Matt Keil, Director of Product Marketing, Cequence Security

APIs (“Application Programming Interfaces”) are increasingly being used as the conduit for data exchange between applications, infrastructure, and IoT devices. The recent explosion in cloud usage and the urgency around digital transformation and the creation of mobile apps has caused a steep increase in the dependence of APIs as a way to speed and simplify development efforts. Today, most organizations expose multiple APIs to customers and partners, published from different product teams, different application stacks, and following various DevOps and security procedures, oftentimes, without consistent security or compliance oversight. According to Gartner, by 2021, 90% of web-enabled applications will have more surface area for the attack in the form of exposed APIs rather than the UI, up from 40% in 2019.

When secured, APIs are a smart way to interconnect endpoints and systems to transmit data and deliver critical features and functionality. But, when published outside of your normal process (if you have one), and left unprotected or misconfigured, they give hackers easy access to large volumes of data and make it easier to commit fraud and expose private data by automating actions normally done by humans through web forms. In the end, the API provides the same benefits – ease of use, efficiency, and flexibility – to both developers and bad actors.

It’s important that compliance, privacy, and risk professionals dig deeper to understand the usage of APIs across the organization and gain insight into the vulnerabilities that exist so that risk can be measured and mitigated. Unfortunately, the fragmented API management space, along with an increase in decentralized development, has created a situation where most enterprises lack even the most basic understanding of their API landscape. According to Aite Group, the organizations have an average of 620 APIs – do you know where they all are, who owns them and what they do?

Gaining visibility into your API footprint in the form of inventory, usage, potential vulnerabilities, and specification conformance is vitally important to understand the overall exposure and compliance impact created by APIs in use. Some questions that every organization should be able to answer (but rarely can) include the following:

  • How many APIs do we have? What applications are these APIs used by or associated with?
  • How many were sanctioned by security and how many are “shadow” or unknown APIs?
  • Are they all necessary for operations or were deployed inadvertently or forgotten about after they were no longer necessary?
  • Which ones are not actively managed or monitored? Do they have traffic? Is the traffic expected, or do patterns suggest misuse?
  • How many APIs have vulnerabilities or don’t conform to approved API specifications? Do we have any hidden API headers, parameters, or response codes?
  • Is there PII or sensitive data being transmitted through APIs unencrypted? Is access regulated data limited in a way that will keep us in compliance?

Unfortunately, too many organizations get answers to these questions the hard way – when they are breached. For example, an API might expose too much information when a request is made providing attackers with insights, they can use to further breach a system. Or, an API might completely lack proper access authentication or inadvertently grant users with elevated privileges (like giving them Admin rights) which could be used to exfiltrate or change the data.

“The hallmark of cyber attackers is they are always searching for a path of least resistance.  The expanding use of public-facing APIs, especially those that are unknown, coupled with the lack of security associated with those APIs make them a prime target,” says Charles Kolodgy, Principal at Security Mindsets LLC.  “It is important for organizations to know what APIs are used by the website, especially shadow APIs, in order to secure them thus making it more difficult for cybercriminals to achieve their end goal.”

While there are security tools that address some aspects of API security, this problem of visibility needs to be solved.

“If your organization delivers APIs to external parties, such as your customers or partners, you need a centralized place to help monitor the security posture and compliance of all your published APIs, detect any risks immediately, and respond proactively to mitigate risks of data exfiltration,” says Subbu Iyer, VP of product for Cequence Security.  “The first step in developing mature API security and compliance program is to discover all the APIs your organization delivers to external parties and analyze their risk postures.”

About the Author

Matt Keil AuthorMatt Keil, Director of Product Marketing, Cequence Security

Matt Keil joined Cequence Security in April of 2019 as a member of the product marketing team, driving product-related messaging and outbound content creation. Prior to joining Cequence Security, Mr. Keil worked at Palo Alto Networks for 12 years, where he was part of the team that launched the company and his most current role as Director of Product Marketing for Public Cloud. Cumulatively, Mr. Keil has 18 years of experience in the enterprise network security market, working for Check Point Software, NetScreen/Juniper Networks, then Palo Alto Networks, and Now Cequence Security.