Enterprises increasingly rely on application programming interfaces (APIs), which allow applications and websites to access data from multiple sources and to incorporate new functionality from third-party platforms. While APIs help organizations expand their digital offerings, they also pose significant security risks for organizations.
Without proper security controls in place, attackers can abuse APIs and siphon off data from applications. High-profile incidents over the past year include scraping user data from the social media site Parler via an API call manipulation and using an accidentally exposed token to harvest full contact details of 50 million LinkedIn users. Improperly configured APIs led to Peloton accidentally exposing user data and Experian leaking credit scores.
"The world has woken up to the reality that APIs are simultaneously the weakest link in application security and the most attractive target for bad actors," says Roey Eliyahu, CEO and co-founder of Salt Security.
Attackers can also target the recently disclosed vulnerability in Log4j via API calls, says Eliyahu. Every API call contains many parameters, and many of them directly invoke a logging command. A bad actor could potentially change the value of the parameters to code that would be invoked by the logging library, resulting in remote code execution, he says.
Reality of API Security
By 2022, API-based attacks will become the most frequent attack vector for applications, Gartner predicts.
It is in this environment that Noname Security announced it has raised $135 million in Series C funding, bringing the total amount raised to $220 million since the company emerged from stealth in December 2020. The latest round of financing pushes the startup to over $1 billion valuation.
"We’re thrilled to see this kind of validation for the API security market," Eliyahu says, noting that when Salt Security launched five years ago, little attention was being paid to security focused on protecting APIs.
There are different types of API-based attacks, but leaky APIs may be the most common — where attackers break API's authentication and authorization policies in order to access data. Another attack method involves using API calls to start or stop critical processes. Considering how ubiquitous APIs have become, an attacker's ability to turn things on or off can have serious consequences in the physical world. And finally, API attacks can enable account takeovers, allowing bad actors to execute unauthorized financial transactions on those accounts.
Organizations will vary on which type of API security incidents would be considered more serious because every organization has different business requirements and risk tolerance. Some organizations try to differentiate between an API incident and a data breach, suggesting that even if data were exposed, an API incident is in some way less serious than a breach itself. However, there are more tangible financial costs with incidents that give attackers the ability to perform unauthorized actions, such as executing certain financial transactions, Eliyahu says.
"But for the consumer whose personal data has just been sold on the dark web, that distinction is meaningless," Eliyahu says. "Reputational harm still does damage."
AP Security Tools on the Market
Despite having robust security tooling and sophisticated application security teams, attackers have been able to leverage APIs to get at companies’ most sensitive data and services, Eliyahu says. New tools can help close the gap.
Noname's API security platform analyzes configuration settings, network traffic, and code to help organizations proactively discover and remediate security issues with APIs and prevent misuse. The platform uses artificial intelligence (AI) to create a baseline understanding of how an API typically behaves. The platform takes action whenever the API behavior deviates from the baseline.
Similarly, Salt Security's platform aims to prevent API-based attacks by using AI and machine-learning technologies to analyze traffic from Web, software-as-a-service, mobile, microservice, and Internet of Things (IoT) APIs and then generate a baseline of normal behavior. Salt Security uses the baseline to identify anomalies that may indicate attackers during the reconnaissance phase.
"The old tools simply aren’t enough, and the world more fully woke up to this reality this past year," Eliyahu says.