Privacy Gains Prominence as an API Security Concern
Cyberwar gets the headlines, but the exposure of personally identifiable information (PII) via APIs is just as menacing for most companies. More often than even stopping attacks, identifying which APIs expose PII or sensitive data is named as an important attribute desired in an API security platform according to Salt Security‘s latest State of API Security report.
While stopping an attack is always a top priority, people realize that proactively addressing vulnerabilities and exploits is easier said than done.
According to Salt Labs’ data, the volume of attacks on APIs grew at twice the rate of the already red-hot increasing overall API usage. Yet, in the face of these attacks, our biggest takeaway is that 30% of the 250+ survey respondents said they had an API-related problem with “sensitive data exposure/privacy incidents”, up from just 19% in Salt Security’s Q3 2021 study. In sharp contrast, API security problems due to “vulnerabilities” and “authentication” dropped from 55% to 39% and 48% to 32% respectively.
The decline in authentication problems may have declined because of technology adoption, but 94% of the exploited APIs Salt Labs’ studied were against authenticated APIs. Furthermore, according to its customer data, 91% of APIs expose PII or personal data.
Documenting what APIs you have and what data they expose goes a long way towards addressing privacy concerns. Many people think they’ve come a long way in the last two years, but they may be overconfident. When the first State of API Security was published, 55% were somewhat or very confident that API inventory was complete; that jumped to 72% in the latest study. When asked if these API inventories API inventory provide enough details, like about exposure to sensitive data, 75% now are at least somewhat confident, up from 61% a year ago.
When Salt Security actually engages with prospects and customers, the company at a minimum identifies 40% more APIs than previously known about. Forty-three percent were realistic enough to say that their biggest API security concern is “zombie” or outdated APIs.
Exposure of sensitive information is not a new problem, but the prominence of API-first companies makes the issue more important than ever. In this re-imagined world, APIs may work as they were designed to, but when 50 million LinkedIn records are exposed, that just sounds like an excuse. Michelle McLean, Salt Security’s VP of Marketing, told The New Stack that while data exfiltration is clearly not a new problem, the mechanism of manipulating APIs is entirely new.
Odds and Ends
Privacy and API-First
- Perhaps GGV Capital gained some inspiration from Karthik Krishnaswamy’s articles on API-first culture before it published its API-First Index earlier this week. The index lists 50 developer-focused companies that are commercializing APIs. Their definition of API-first is much looser than the one set out by Postman’s Kin Lane and had significant overlap with the much larger API Landscape maintained by Platformable. One company that stood out was Skyflow, which is building APIs to deliver security, compliance and governance — aka, privacy — via APIs. Insight Partners, which owns The New Stack, has invested in Skyflow.
- Anecdotally, lawyers, privacy and compliance officers are not paying attention to API security. If this topic does not get on their radar, it will not matter how much cooperation there is between DevOps, developers, SOC analysts and the rest of security. To properly inventory and protect PII, the equivalent of a chief data officer also needs to be involved.