APIs, these software interfaces which allow different applications to be connected to each other, are currently experiencing a real craze with businesses. Developed at a breakneck pace, they facilitate the integration and connection between them of individuals, websites, systems, services, products, data, objects or software processing. And thus allow companies, large or small, to innovate, accelerate the time to market of new products and services, create new sources of income, improve the customer experience or data sharing and others resources.
The ecosystem of these APIs, known as the API economy, is already valued at several trillions of dollars according to several sources. Another report even reveals that more than a third of companies generate at least 25% of their turnover through their APIs.
APIs, a new El Dorado for cyber criminals
But at the same time, they have become prime targets for cyber criminals.
First, because they are new entry points to the most sensitive corporate data, and attacking them allows malicious actors to steal and manipulate critical information, which can be important sources of revenue.
Second, because they are surprisingly simple to compromise. You only need to obtain the credentials of a legitimate user account, or create one with a bank, an insurance company, etc., to access it and then take control of it. Concretely, as soon as he has had access to an API, a cyber attacker with the adequate technical knowledge can follow and analyze his functioning, identify his vulnerabilities and exploit them to access other user accounts.
Finally, even more serious, because attacks targeting APIs cannot be identified by the security solutions generally implemented to deal with threats at the application level, and often take long months to be detected, when they are. , because in most cases they are not, and it is the cyber attacker who mistakenly or willfully reveals the attack.
For these reasons, the APIs are now looking like a new paradise for hackers, as confirmed by a recent study by Gartner, which predicts that they will become the preferred target of cyber attacks by 2022.
Two key measures
To meet the challenge of API security today, organizations must take two key steps simultaneously.
Adopt new technologies, complementing their existing security policies dedicated to web applications. These technologies must have two objectives.
Identify and draw up a precise inventory of the APIs they use. Many corporate security managers have incomplete visibility into all of the APIs used in their organization, particularly those for internal use. New solutions are now able to automatically identify all of them to control their activity, and prevent unidentified APIs from being compromised.
Continuously monitor API behavior. This permanent traffic monitoring, API by API, and user by user, is now able to identify, through machine learning and artificial intelligence technologies, abnormal behaviors and to act accordingly. So for example, if an API is normally called 5 times in a row to make 5 transfers of 20 KB, a series of 40 requests for transfers of 1 MB each may indicate a data theft.
Adopt best practices to secure the development of APIs.
But the adoption of new API identification and tracking technologies is not enough. It must be supplemented simultaneously by an upstream action. Hundreds of thousands of APIs are now developed every year in companies. However, in many cases, these developments are carried out without taking into account their security level, which leads to the persistence of vulnerabilities. Malicious actors are then free to exploit them, for example via “reverse engineering” methods.
To remedy this situation, companies must impose best practices in terms of security on their development teams. These practices go through the implementation of new processes by systematically integrating the security parameter, and through the realization for each API developed of vulnerability tests with the hacker spirit, that is to say by putting themselves in the place of a potential pirate.
Without these two key measures, APIs will continue to be an Eldorado for cyber criminals for a long time, and represent a major security risk factor for businesses.