APIs leave businesses open to attack

APIs are designed to be fast and easy pipelines between different platforms. They offer convenience and user experience which makes APIs essential to many businesses, but it also makes them attractive targets for cybercriminals.

A new report from Akamai, produced in collaboration with Veracode, highlights the frustrating pattern of API vulnerabilities, despite improvements that have been made in software development life cycles (SDLCs) and testing tools.

Often, API security is relegated to an afterthought in the rush to bring apps to market, with many organizations relying on traditional network security solutions that are not designed to protect the wider attack surface that APIs can introduce.

"From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application," says Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. "API attacks are both underdetected and underreported when detected. While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well executed ransomware attack, but that doesn’t mean they should be ignored."

Part of the problem is that APIs are often hidden within mobile apps, leading to the belief that they are safe from manipulation. Developers make the assumption that users will only interact with the APIs via the mobile user interface (UI), but the report points out that's not the case.

"To add more fuel to the fire, API calls are easier and faster to automate (by design!) -- a double-edged sword that benefits developers as well as attackers," notes Chris Eng, chief research officer at Veracode.

The full report is available on the Akamai site.

Image Credit: totallyPic.com / Shutterstock