Organizations use APIs to enable different applications to communicate with each other, share data, and use common services to help deliver and streamline functionality for users. Because of the growing importance of APIs to business, API security is a crucial element of an organization’s cybersecurity strategy. Despite that, organizations seem to lag in API security according to the latest API Security Report by Salt Security. Poor API authentication remains one of the top issues that facilitate attacks. API authentication and authorization rely on machine identities and API keys that can be vulnerable to theft and misuse.
Key API security report findings
The State of API Security Report from Salt Labs focuses on API security risks, challenges, and strategies. The survey data reflects the input of more than 250 respondents, with 26% of respondents having doubled the number of APIs in use from a year ago, and 5% have more than tripled the count.
As organizations continue to transform their ways of working, and as developers built more applications and APIs for services, attackers change their tactics, making APIs their prime target. In the last 12 months, API attack traffic saw an increase overall of 168%.
A sizeable 62% of respondents delayed application rollouts because of API security concerns. It is evident that organizations face an urgent need to reduce security risks around APIs to continue to innovate quickly and for their businesses to flourish.
Despite robust efforts to validate APIs before deploying them into production, nearly every company is finding security problems in their production APIs. Vulnerabilities are the leading challenge, with 39% of respondents identifying them in their production APIs. Authentication problems are the next most common issue, at 32%, followed closely by sensitive data exposure at 30%.
While non-authenticated APIs or APIs with weak authentication mechanisms create security gaps, 94% of exploits are happening against authenticated APIs, a clear indication that API security is a challenging topic requiring a lot more than just authentication.
It follows that most survey respondents acknowledge the gaps in their existing tools’ efficacy in stopping bad actors. A whopping 85% noting their tools are not very effective in stopping API attacks.
The importance of machine identity management to API security
The OWASP API Top 10 list identifies authentication and authorization attacks as the top two risks for API Security. Broken object-level authorization, user authentication and function-level authorization can be leveraged by attackers to gain access to sensitive information processed by the application and compromise the overall API security.
APIs need a verified identity using digital certificates and cryptographic keys. Once an API is verified, it can communicate securely with other APIs, establish trust relationships, and grant authorized access to networks and resources.
However, to ensure that these API identities are not compromised, organizations need an effective machine identity management program. Effectively managing the increasing number of machine identities associated to APIs helps organizations to keep track of all APIs and ensure that each one has appropriate access permissions.
The impact of poor machine identity management can become damaging:
- Service outages caused by expired certificates
- Breached SSH keys by SSH related malware
- Broken customer trust
- Lost revenue
An essential component of effective machine identity management for APIs is the ability to automate machine identities over multiple API gateways. API gateways use large numbers of machine identities—cryptographic keys and digital certificates—to establish trust and preserve privacy. But API gateways do not include machine identity management features that provide security teams’ insights into how machine identities are being used. Nor do they provide the automation necessary to eliminate time-consuming and error-prone TLS certificate lifecycle functions.
The Venafi way to API security
Organizations need a mix of tactics to protect APIs. Authentication and authorization are just two important components of robust API security and should be leveraged together with controls such as API visibility and abnormal behavior intelligence to ensure that APIs are not manipulated by attackers. “Companies need to define and execute against an API security strategy that covers the full lifecycle of APIs and addresses cross-functional responsibilities,” suggests the Salt Security report.
Venafi Control Plane through its integration with various ecosystem partner integrations, simplify and automate API security through a comprehensive, layered machine identity solution that protects APIs and enables full visibility and control of machine-to-machine communications.