The boom in mobile apps, cloud services, and Web applications have led to a worrying trend: Attackers are increasingly targeting the APIs that underpin them. Enterprises need tools in order to secure these data-rich connectors, and CrowdStrike's announcement that it is investing in Salt Security highlights the critical role API security plays in Web application security.
APIs – application programming interfaces – are ubiquitous in the modern enterprise. Consider the following:
- A Web application displaying a map and location data relies on the Google Maps API.
- An e-commerce application offering multiple payment options, such as the "Pay with PayPal" feature, is using an API.
- Retailers use APIs to work with couriers and delivery companies to ensure package are picked up and delivered correctly.
- Companies may send software via API. That's what Tesla does.
"APIs connect the critical data and services that drive today's digital innovation," said Roey Eliyahu, CEO and co-founder at Salt Security, in a statement.
Developers rely on APIs to connect their applications to multiple data sources and services in order to build new features and products without having to start from scratch. For example, not many organizations have the resources or data to maintain detailed maps, but they don't need to because Google Maps offers the information via an API. However, the fact that APIs have access to sensitive data and systems makes them vulnerable. If the API is somehow abused, that can expose the underlying data and result in a data breach.
A bug in the Peloton API allowed anyone to pull users’ private account data directly from Peloton’s servers, even if a user's profile was set to private. There was a similar situation involving a financial lending site, where a leaky Experian API allowed anyone to look up credit scores of someone else with only a name and mailing address.
"Enterprises are producing a massive number of APIs at a rate that far outpaces the maturity of network and application security practices," wrote Gartner analysts Jeremy D’Hoinne and Mark O’Neill in a recent "Gartner Predicts" report on API security. "Strong inventory and real-time discovery are both necessary to gain enough visibility into all APIs that the organization produces."
From a financial perspective, CrowdStrike's investment makes sense. The API security market is expected to grow 26.3% between 2022 and 2032, according to research from Future Market Insights earlier this month. Gartner estimates that API attacks will soon become the most-frequent attack vector for Web applications.
In addition to the investment, CrowdStrike says it plans to work with Salt Security on security testing to harden APIs and API discovery and runtime protection for applications.