There’s been no shortage of API security breaches over the last several years. As recently as 2023, companies like the popular language-learning platform Duolingo experienced the impact of malicious actors gaining access to an exposed API.
In their case, the breach exposed more than 2.6 million users’ email addresses, with addresses being sold on hacking forums.
Duolingo’s story is one of many that sets the stage for enterprises to pause and revisit their approach to API security. We shared another example in a recent webinar — one that highlights how security risks can come from the inside:
As the use of APIs grows and hackers find new ways to exploit API weaknesses, you’ll have a strong security posture to safeguard sensitive data and preserve trust.
Here are key questions to assess the state of your current API protection.
Do you have a grasp on all the APIs in your infrastructure?
Every API offers a potential doorway to sensitive data.
When enterprises have undocumented or unmanaged APIs (shadow APIs) or outdated APIs that haven’t been properly deprecated (zombie APIs), they become far more vulnerable to attacks, as unprotected endpoints become easy targets.
To put this in perspective, over 30% of malicious transactions target unknown, unmanaged, or unprotected APIs.
For more, see this infographic on surviving the zombie API apocalypse.
Are you leveraging a multi-layered security approach?
Without web application firewalls, malicious traffic can pass through at the surface level unchecked and directly target APIs.
At the same time, without implementing throttling at the global level, APIs are susceptible to denial-of-service (Dos) attacks where systems are overwhelmed with excess requests.
This is a nod to the need for a comprehensive and integrated security level focusing on hygiene at every level.
Do you have a way to monitor and mitigate threats?
From IP safelists that limit the API attack surface to rate limits and quotas that cap the number of client requests in a given timeframe, organizations can take plenty of measures to reduce threats.
But it’s also about detecting suspicious activity and patterns promptly. In 2023, it took an average of 204 days for companies to identify data breaches — and an additional 73 days to contain them.
Have you implemented data security and validation?
Malicious attackers are known to inject code into API parameters and query strings. If companies don’t have a validation routine within their gateway or payload scanning, there’s a more significant potential for this code to go undetected and be fed into the system for processing.
Insufficient API header management can lead to further vulnerabilities, as these security headers help ensure safe interactions between browsers and APIs.
The following video gives an ultra-rapid overview of some common API security best practices:
Have you established consistent API security practices?
Manual processes throughout the API lifecycle are more prone to errors and inconsistencies, which can ultimately lead to more gaps in API protection.
Consider this alongside the fact that 75% of organizations change or update their APIs daily or weekly.
The more companies can automate their API management lifecycle, the more they can standardize API security.
In the following video, William McKinney, Senior Director of Product and Solutions Marketing for Axway’s Amplify Platform, discusses how an API marketplace built on a universal API management foundation can help enforce your organization’s security practices.
