API safety ‘arms race’ heats up

Enterprises are beginning to catch on to the huge safety danger that the pervasive use of utility programming interfaces (APIs) can create, however many nonetheless must rise up to hurry.

Poorly secured APIs have been acknowledged as a difficulty for years. Information breaches of T-Cell and Fb found in 2018, for example, each stemmed from API flaws.

However API safety has now come much more to the forefront with enterprises throughout all industries within the technique of turning into digital companies — a shift that necessitates tons and many APIs. The software program serves as an middleman between totally different functions, permitting apps and web sites to entry extra knowledge and acquire higher performance.

The implication of APIs in high-profile hacks such because the SolarWinds assault can also be spurring extra firms to concentrate to the problem of API safety — although many nonetheless have but to take motion, says Gartner’s Peter Firstbrook.

“In most organizations, after I ask them who’s accountable for API safety, there are clean stares across the desk,” he mentioned on the Gartner Safety & Threat Administration Summit — America’s digital convention this week.

That should change, mentioned Firstbrook, a vice chairman and analyst on the analysis agency. API safety vendor Salt Safety reported that its buyer base noticed a 348% improve in API-based assaults over the course of the primary six months of 2021.

“APIs are an growing assault level,” Firstbrook mentioned. “The web runs on APIs. There’s an enormous want for API safety.”

Momentum available in the market

Nonetheless, there are indicators that extra prospects are investing to safe their APIs, whereas the variety of merchandise within the area additionally continues to broaden.

Salt Safety, which was based in 2016 and has workplaces in Silicon Valley and Israel, has revealed the names of quite a few prospects together with The Residence Depot, knowledge heart operator Equinix, and telecom agency Telefónica. To gas its progress, the corporate has introduced elevating $100 million over the previous 12 months, together with a $70 million sequence C spherical in Might.

A more moderen entrant within the area, Noname Safety, studies fast traction for its API safety product since launching it in February.

The startup already counts amongst its prospects two of the world’s 5 largest pharmaceutical corporations, one of many world’s three largest retailers, and one of many world’s three largest telecoms, mentioned Karl Mattson, chief data safety officer at Noname Safety. The Palo Alto, California-based firm has raised $85 million since its founding in 2020, together with a $60 million sequence B spherical in June.

Different cyber corporations with notable API safety choices embody Ping Identification, 42Crunch, Traceable, Sign Sciences (owned by Fastly), and Imperva—which this 12 months bolstered its API safety platform with the acquisition of a startup available in the market, CloudVector. Extra startups within the area embody Neosec, which got here out of stealth in September and introduced a $20.7 million sequence A spherical.

However as evidenced by the Salt Safety report on elevated API-based assaults, whereas the defenders are ramping up across the API safety situation, so are the attackers.

“It’s an arms race proper now,” mentioned Noname’s Mattson. “I feel attackers are seeing that APIs usually are not overly sophisticated to assault and to compromise. And equally, the defenders are quickly coming to the belief, too.”

API exploits

Probably the most frequent API-based assaults contain exploitation of an API’s authentication and authorization insurance policies, he mentioned. In these assaults, the hacker breaks the authentication and the authorization intent of the API as a way to entry knowledge.

“Now you might have an unintended actor accessing a useful resource, comparable to delicate buyer knowledge, with the group believing that nothing was awry,” Mattson mentioned.

Firstbrook mentioned that the API safety points of the SolarWinds assault present how pivotal the problem actually could be.

Via their implant within the SolarWinds Orion networking monitoring software program, the attackers gained entry to an surroundings belonging to electronic mail safety vendor Mimecast, he famous. And Mimecast — as a result of it offers capabilities comparable to anti-spam and anti-phishing for Microsoft Workplace 365 customers — had entry to the Workplace 365 API.

Via the Microsoft API key, the attackers gained entry to the Trade environments of a reported 4,000 prospects, Firstbrook mentioned. Mimecast, which revealed its report on the incident in March, declined to supply additional remark to VentureBeat.

In the end, the incident underscores the necessity for a a lot higher give attention to API safety throughout industries, Firstbrook mentioned.

“A part of the availability chain is constructed on APIs,” he mentioned. “We actually need to construct a greatest apply round managing and understanding APIs, and securing APIs.”