As organizations increasingly rely on application programming interfaces (APIs) to facilitate communication and data exchange between software systems, these “gates” become primary targets for attackers. Businesses that fail to put API security at or near the top of their priority list risk suffering costly data breaches, service interruptions, reputational damage, and more. Yet, despite the importance of API security, many organizations neglect to allocate sufficient resources for performing regular, thorough API reviews.
As a result, these organizations put their very futures in jeopardy. For example, Traceable’s State of API Security report, released earlier this year, found that 99 percent of organizations reported API security issues in the past year, and 57 percent experienced API-related data breaches. Numbers like that make it imperative for security teams to recognize the most common vulnerabilities found in today’s APIs, the obstacles to conducting thorough API security reviews, and what they can do to implement best practices to keep their internal systems and customer data safe from malicious exploitation.
Why APIs are prime attack targets
Imagine a large farm with multiple gates. It is essential for the farmer to always know the status of each gate. An open gate could lead to the loss of valuable livestock that could wander away or result in costly damage from predators that make their way onto the property. It’s the same for today’s organizations. Failure to maintain the security of their API gates can lead to harmful data breaches that result in financial loss, reputation damage, and operational disruption.
For instance, an API attack in April 2024 resulted in unauthorized access to 1.3 million accounts in the PandaBuy system. Another API-related attack in March 2024 targeted public GitHub repositories and extracted nearly 13 million API keys, tokens, and other secrets. Attacks like these are why The Hacker News recently reported that “organizations are losing between $94 – $186 billion annually to vulnerable or insecure APIs….”
Unfortunately, cybercriminals exploit many vulnerabilities in today’s APIs. These include broken authentication and authorization, injection attacks, insecure direct object references (IDOR), insufficient rate limiting and resource consumption, security misconfigurations, insecure data transmission (lack of encryption), improper API versioning, business logic flaws, and third-party API risks.
The Quest Diagnostics API breach is an example of a third-party attack. In that incident, cybercriminals gained access to the medical information of 11.9 million Quest patients by exploiting a vulnerability in a third-party web payment page. A recent example of an injection attack is the Reddit API breach by BlackCat, where attackers exploited weaknesses in Reddit’s API to obtain 80GB of data and demand a $4.5 million ransom.
How to shore up API defenses
Due to existing API weaknesses, thorough API security reviews are critical to any organization’s security strategy. Without regular security assessments, vulnerabilities can go unnoticed and lead to data breaches, financial losses, and reputational damage. The keys to conducting thorough API security reviews rest largely in overcoming several obstacles that commonly arise in organizations. Those obstacles and their solutions include:
- Poor visibility and documentation solution. Utilize API discovery tools and enforce documentation standards to track all API endpoints, versions, and integrations.
- Frequent API changes/updates solution. Move security testing into the continuous integration and continuous delivery (CI/CD) pipeline and use automated scanning and real-time monitoring to catch issues early.
- Inadequate authentication and authorization review solution. Perform consistent penetration testing and enforce strict authentication mechanisms such as open authorization (OAuth), JSON web token (JWT), and role-based access controls (RBAC).
- Insufficient security expertise solution. Provide API security training, hire dedicated security professionals, and foster collaboration between development and security teams.
- Time and resource constraints. Automate API security testing with tools like Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), Burp Suite, or API security gateways to reduce manual effort and ensure continuous protection.
- Insecure third-party integrations. Conduct security assessments of external APIs, enforce vendor security policies, and use API gateways to monitor and control third-party access.
Points.com, a platform that manages loyalty programs for major brands like Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy, conducted a comprehensive security review in 2023. The report identified significant API vulnerabilities that could have allowed unauthorized access to customer data and accounts. The company promptly addressed the issues and avoided a costly and reputation-damaging data breach. By committing to thorough API security reviews, organizations can proactively identify threats, enforce security best practices, and maintain a much stronger security posture.
Committing to thorough, standardized AP security reviews
To ensure consistent, high-quality reviews, it is essential for security professionals and engineers to work together to create secure, scalable, and consistent API security practices. Collaborations that are proactive, structured, and integrated into the development lifecycle provide the best results. The most effective reviews incorporate well-established frameworks, such as OWASP API Security Top 10, threat modeling (STRIDE, DREAD, or PASTA), DevSecOps practices, and secure software development lifecycle (SDLC). Up-to-date methodologies and industry standards further support these strategies.
Other best practices include maintaining an accurate API inventory and enforcing strong authentication and authorization, such as implementing OAuth 2.0, JWT, or API keys for secure authentication, and applying role-based access control (RBAC) and least privilege access to restrict sensitive data exposure. Companies can also secure data transmission by enforcing HTTPS/TLS encryption for data in transit, using end-to-end encryption for sensitive API communications, implementing rate limiting and throttling to prevent denial-of-service (DoS) attacks, and controlling excessive requests from a single source. Additional best practices are validating and sanitizing inputs to protect against injection attacks, conducting regular penetration and fuzz testing to uncover vulnerabilities, and enabling real-time monitoring to detect and quickly address abnormal behaviors.
Organizations can significantly lower the threats associated with API vulnerabilities by staying committed to API security best practices, consistently reviewing API security policies, and updating those policies and practices based on evolving threats. This comprehensive approach will reduce legal risks, protect sensitive data, and maintain customer trust by building a more secure, resilient API ecosystem that fosters growth.
Stay vigilant to maintain API security
Technology isn’t going to stop advancing, and cyberattackers aren’t going to stop evolving. As APIs grow in popularity, it is critical for organizations to resist complacency and continue to improve their security, which means staying on top of new trends and technology. API interfaces are likely to get significantly more complicated as organizations create new products based on advances in artificial intelligence, machine learning, and cryptocurrency technologies. The visionary companies that embrace the latest trends and technological advances and future-proof their API security strategies will best position themselves to stay ahead of evolving threats.
About the Author
Pushkar Jaltare is a security architect at Fastly with expertise in web, mobile, and cloud security assessments, threat modeling, and identity and access management. Pushkar holds a master’s degree in information assurance from Northeastern University. Connect with Pushkar on LinkedIn
