Offering APIs for external service integrations is important, but poor security practices in API access and design can put your organization in danger.
In the Everything as a Service, cloud-connected world, offering APIs for third-party access to features or data from your products is a practical necessity to participate in ecosystems you do not own. Whether it is for integration as an Alexa Skill on Amazon Echo smart speakers, or integrating your product with social networking and communication tools like Facebook or Slack, allowing your service to interact with products familiar to millions of consumers is a major driver of business growth for most software firms.
Ensuring that these publicly accessible APIs are hardened against abuse is vital to avoid putting your organization at risk, as malicious actors are increasingly using poorly secured APIs as an attack vector. The potential risk involved with poor API security can be seen firsthand in the fallout from the Facebook data privacy scandal, as researchers from Cambridge Analytica allegedly abused Facebook API access permissions to harvest account information for up to 87 million profiles.
SEE: How to manage your IT team through company transitions (Tech Pro Research)
As a result of this high-profile attack, organizations should place an emphasis on ensuring their APIs are properly secured, though awareness of the problem may not be as high as it should be. According to a survey published on Monday of 100 security and IT professionals conducted by Ping Identity , 45% of respondents indicated that they are not confident in the ability of their security team to detect if a malicious actor is abusing their API access. More than half (51%) indicate that they are not confident their security team is aware of all of the APIs that exist in their organization—likewise, a quarter of respondents claim to have over 1,000 APIs in their organization.
The survey also indicates increasing worries about governments targeting weaknesses in APIs, with 75% of respondents reporting that they believe nation-states will do so within the next year. This month, a pact was introduced by French President Emmanuel Macron to ensure that ensure governments do not engage in such practices. Though 51 countries signed on, the US, Russia, China, Iran, Israel, and North Korea declined to sign.
What's your view?
Have you had an API user abuse access in your organization? Do you implement rate limiting or other protections in APIs you provide? Share your experiences in the comments.
The big takeaways for tech leaders:
- 45% of security and IT professionals lack confidence in their security team to detect malicious API access, and 51% are not confident their security team is aware of all APIs existing in their organization. — Ping Identity, 2018
- 75% of respondents said they believe that nation-states will attack APIs within the next year. — Ping Identity, 2018
- Six in-demand programming languages: Getting started (free PDF) (TechRepublic)
- These AI-generated fake fingerprints can fool smartphone security (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Malicious code hidden in advert images cost ad networks $1.13bn this year (ZDNet)
- Beware of Russian attackers impersonating LoJack security software to hack computers (TechRepublic)