API security is widely being considered, yet breaches continue to plague many organizations. What are the biggest mistakes organizations are making when it comes to API security?
APIs hold great promise for businesses, with potential of exponential growth in transactions and revenues, but they also impose a major security risk, unlike anything cybersecurity experts have trained and prepared for. APIs are information highways connecting the world to the crown jewels of every business. The result is in an infrastructure that creates full connectivity, with security that has to rely on configuration, instead of segmentation.
Moreover, the dramatic revolution of APIs doesn’t stop at the architecture level, it can also be found in the development cycles. Due to the fact that APIs are in the front, responsible for the customer experience, API developers are under continuous pressure by the business objectives to ship updates at a fast pace. With such a super agile development cycle, incidents seem almost inevitable. In other words, the whole situation is really insecurity by design.
Failing to understand this uniqueness of APIs is the biggest mistake organizations make with respect to security. APIs and existing cyber security approaches, best practices and technologies simply don’t go together. In particular, one cannot rely on a WAF, never designed to learn the business logic, in order to protect his API.
Another fatal mistake organizations make is underestimating the threat to their APIs and assuming that the basic level of authentication provided by an API gateway is sufficient to avoid breaches.
The common basis for all of these critical mistakes is the lack of awareness with regards to the reality created by APIs. Understanding who and what threatens APIs is the first step to better assess the risk.