APIs are everywhere and hackers are licking their chops. A recent analysis of 17,500 security reports showed that the overall number of API security incidents increased from 50 to 142 exploits in the second quarter of 2022 – a 286% increase. Last May, 2022, Internet crooks used unmanaged or leaky APIs to gain access to enterprise data almost every single day.
And some of these attacks are landing on target: Salt’s State of API Security reports nearly 20% of respondents say their organizations experienced a breach resulting from insecure APIs last year.
Threats are keeping pace with the explosive growth of APIs, causing API security experts to look at the challenges in new ways. William McKinney, Axway Sr. Director for Product and Solutions Marketing, discussed this shift in thinking during a recent webinar in which he mapped out three main ideas to help guide customers and strengthen their security.
Security accelerates the speed of business
McKinney countered the idea that API security fears will slow down development processes, delaying new products and services at a time when speed to market is essential. Instead, building security into development and other processes will accelerate your business, enabling you to better assess risks and build customer trust.
“So many think security is just another roadblock to getting my API published and out there,” says McKinney. “Actually, a good security strategy is going to make it faster for you to get to market, stay in the market, and respond to changes that are happening.”
Security is more than technology
“Security is also not technology alone,” Mckinney continued. “You can’t think of security as something to be relegated to a gateway. It’s not some last step in your process before you’re good to go.”
Instead, API security requires companies to take a broader view of people, processes, and system design. Processes like authentication and authorization, for example, need to be moved closer to the application and data model to maintain access to the right people and keep intruders out.
Organizations need a 360-degree view of all the organization’s API assets in order to log, analyze, and govern what’s happening. Developers and lines of business must first understand the organization’s processes and policies before deploying APIs.
McKinney pointed out that Axway’s Amplify Platform enables organizations to achieve these goals by unifying API assets and managing their entire lifecycle, making them easy to discover and adopt. This puts an end to unmanaged and unsecured APIs becoming sitting ducks for hackers.
“You don’t know what you don’t know until you know it,” McKinney says. “API security starts with visibility into all the APIs you use internally and with apps and services used by customers and partners.”
Threats can be internal, not just external
McKinney emphasized that threats to APIs come from all directions. Therefore, security policies governing APIs must also apply to employees working inside the company network, no matter where or how they work.
“If someone is able to penetrate at one point, and then move horizontally, you are not safe, even in system-to-system communications,” he said. “There is no such thing as a safe zone.”
He explained that security teams should employ a Zero Trust approach to enhance security across all major risks. In the Zero Trust model, no user or device is trusted to access a resource until their identity and authorization are verified.
The idea is that you should assume every machine, user, and server to be untrusted until proven otherwise. A central API management plane that discovers all APIs as they are created and provides centralized API observability is an essential ingredient for moving forward with Zero Trust.
In the following Q&A video, McKinney explains how a marketplace that’s built on a universal API management foundation helps enforce your organization’s security policies as APIs are exposed.
Get better visibility and control
Amplify Platform shows how security doesn’t have to add complexity to the technology equation. It enables you to facilitate security from a centralized plane where API vulnerabilities are automatically detected. Predefined filters ensure authentication and authorization, and attacks are blocked before they occur.
A stronger security posture is just one benefit of an open API management platform. You can manage the entire API lifecycle, maximize reuse, improve operational efficiencies, and create API products. It’s time to start delivering secure business outcomes with your APIs.
Hackers have evolved, has your API security? Watch the Webinar on demand to stay ahead of today’s threats.