IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Application Security
#
Breach Prevention
#
Cybersecurity
Protect your APIs from cybercriminals before it's too late
Thu, 21st Sep 2023
By Andy Hornegold, VP Product, Intruder
Follow us

APIs have become the backbone of modern commerce and are key for connecting businesses to customers. However, lurking beneath their transformative power lies a potential for chaos. Without proper security measures, they are gateways that can leave organisations wide open to risks and vulnerabilities. 

Gartner's prediction revealed that APIs were set to become the prime targets for attacks in 2022. For example,  the Optus breach exposed as many as 10 million users to potential identity theft and fraud through an API that did not require authorisation. That’s not all, the recent T-Mobile breach left a staggering 37 million people exposed in its wake and cost the company $350m.  

These incidents should serve as a grim reminder when it comes to API vulnerabilities and the potential impact of attacks on businesses and users. With the increasing reliance on APIs for data sharing, integration, and communication between different systems and applications, they have become a bulls-eye target for cybercriminals. 

So, to keep your organisation safe from cyber-attacks, you have to be proactive. Implementing strong security protocols is a must-do to make sure your APIs are locked down tight. 

Protect your APIs 

So, what’s the first step to protecting your API? You need to know where your APIs are, who's using them, and how they're being accessed. This intel is key because API deployment expands your attack surface, making you vulnerable to threats. The more exposed those APIs are, the greater the chance a cybercriminal might find a weak spot. So, locate those APIs, gain full visibility, and include them in your vulnerability management processes.  

Now, APIs bring convenience and operational efficiency, but they can also open doors for malicious actors. If your APIs are internet-facing, it's time to control the requests with rate-limiting and enforce authentication for each interaction. Think of it as having bouncers to grant access only to trusted users or systems. And let's not forget about the cryptographic signing of requests. It's like having a VIP list with private keys, ensuring only the right folks get access to your data. 

Another tactic is 'layering.' Instead of relying on just one security measure, layering combines multiple defences such as linting, static analysis, dependency checks, and active scanning in your DevOps pipeline. This layered approach helps you find errors and vulnerabilities before they infiltrate your system and cause irreparable damage to your system and business.  

Also, active scanning is key as part of your preventative measures. Consider it a linchpin for strong security that detects vulnerabilities in real time. It paints a full picture of your system, from the API structure to the operating system, server software, and network security.  

Cost-cutting is made easy with API scanning tools 

API scanning tools with cloud account syncing capabilities are the solution for companies looking to cut costs and enhance their cybersecurity defences. 

These powerful tools offer improved visibility across DevOps teams, simplifying the detection of inactive systems and vulnerable resources that can accumulate risks over time. By swiftly identifying and removing these unnecessary elements, companies can save money and build strong defences against cyber attacks. That’s why investing in API scanning tools is a savvy and budget-friendly strategy to stay one step ahead in today's rapidly evolving cyber threat landscape. 

Strengthening security together 

In many small tech companies, having a dedicated security team or role isn’t the norm. Instead, network security becomes a shared responsibility, with whoever is available taking charge. This collaborative approach fosters a democratic view of security, where every team member understands how security impacts the business and takes steps to prevent incidents. However, it's crucial to remember the saying that if everyone is responsible, no one is responsible. While security is a collective effort, senior stakeholders should ultimately bear the responsibility. 

In smaller companies, CTOs often lead API security efforts. However, it's vital for DevOps teams and engineers to contribute to infrastructure management and adopt a DevSecOps approach actively. This means integrating security throughout the entire software development life cycle. 

Furthermore, effective communication plays a pivotal role in security for any business. That's where tools like Slack and Teams come in handy. With these channels, businesses can stay on top of security issues with instant alerts and team messaging.  

What lies ahead? 

API security should be at the top of the ‘to-do’ list for businesses operating in the digital realm. Cybercriminals are not discriminatory to certain businesses, whether you're big or small or belong to any industry. No one is spared, and the aftermath of a breach can be downright devastating. So, no business should take the risk of even the tiniest security slip-up lightly.  

Luckily, there are a bunch of effective steps businesses can take to beef up their API security. By implementing these measures, you can lay a solid foundation for your security defences and rest easy, knowing your systems are well-guarded. It's all about staying ahead of the game and keeping those security risks at bay.  
 

Related stories
GitHub's 2FA initiative helps secure software supply chain
High Performance Podcast duo to keynote Infosecurity Europe conference
New UK cybersecurity law takes effect amid evolving threats
AI tools linked to data exposure in 1 in 5 UK organisations
Toshiba & Single Quantum double QKD transmission range
Top stories
The messaging evolution and the fight against fraud
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity