API Management / Security

Privacy Gains Prominence as an API Security Concern

3 Mar 2022 10:58am, by
How confident are you that your API inventory is complete?

Cyberwar gets the headlines, but the exposure of personally identifiable information (PII) via APIs is just as menacing for most companies. More often than even stopping attacks, identifying which APIs expose PII or sensitive data is named as an important attribute desired in an API security platform according to Salt Security‘s latest State of API Security report.

While stopping an attack is always a top priority, people realize that proactively addressing vulnerabilities and exploits is easier said than done.

According to Salt Labs’ data, the volume of attacks on APIs grew at twice the rate of the already red-hot increasing overall API usage. Yet, in the face of these attacks, our biggest takeaway is that 30% of the 250+ survey respondents said they had an API-related problem with “sensitive data exposure/privacy incidents”, up from just 19% in Salt Security’s Q3 2021 study. In sharp contrast, API security problems due to “vulnerabilities” and “authentication” dropped from 55% to 39% and 48% to 32% respectively.

The decline in authentication problems may have declined because of technology adoption, but 94% of the exploited APIs Salt Labs’ studied were against authenticated APIs. Furthermore, according to its customer data, 91% of APIs expose PII or personal data.

Vulnerability Breach Sensitive data exposure/privacy incident Authentication problem Denial of service Account misuse/other fraud Brute forcing or credential stuffing Enumeration and scraping

Documenting what APIs you have and what data they expose goes a long way towards addressing privacy concerns. Many people think they’ve come a long way in the last two years, but they may be overconfident. When the first State of API Security was published, 55% were somewhat or very confident that API inventory was complete; that jumped to 72% in the latest study. When asked if these API inventories API inventory provide enough details, like about exposure to sensitive data, 75% now are at least somewhat confident, up from 61% a year ago.

When Salt Security actually engages with prospects and customers, the company at a minimum identifies 40% more APIs than previously known about. Forty-three percent were realistic enough to say that their biggest API security concern is “zombie” or outdated APIs.

Exposure of sensitive information is not a new problem, but the prominence of API-first companies makes the issue more important than ever. In this re-imagined world, APIs may work as they were designed to, but when 50 million LinkedIn records are exposed, that just sounds like an excuse. Michelle McLean, Salt Security’s VP of Marketing, told The New Stack that while data exfiltration is clearly not a new problem, the mechanism of manipulating APIs is entirely new.

Stop attacks Identify all APIs, including undocumented APIs Identify which APIs expose PII or sensitive data Improve API security posture Streamline API incident response and investigations Cover the OWASP API Security Top 10 Meet compliance or regulatory requirements

When thinking about what they need from an API security platform, 81% rank identifying which APIs expose PII or sensitive data as 4 (important) or 5 (highly important), while 65% rate that “stopping attacks” way. Source: Salt Security’s State of API Security – Q1 2022

Odds and Ends

Privacy and API-First

  • Perhaps GGV Capital gained some inspiration from articles on API-first culture before it published its API-First Index earlier this week. The index lists 50 developer-focused companies that are commercializing APIs. Their definition of API-first is much looser than the one set out by Postman’s Kin Lane and had significant overlap with the much larger API Landscape maintained by Platformable. One company that stood out was Skyflow, which is building APIs to deliver security, compliance and governance — aka, privacy — via APIs. Insight Partners, which owns The New Stack, has invested in Skyflow.
  • Anecdotally, lawyers, privacy and compliance officers are not paying attention to API security. If this topic does not get on their radar, it will not matter how much cooperation there is between DevOps, developers, SOC analysts and the rest of security. To properly inventory and protect PII, the equivalent of a chief data officer also needs to be involved.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Postman.