Will AI transform how we secure APIs? [Q&A]
Digital services, including Generative AI, rely heavily upon Application Programming Interfaces (APIs) to access and relay data. But securing these conduits can be difficult so is this a problem that AI could help solve?
We spoke to James Sherlow, systems engineering director, EMEA, at Cequence Security, to find out how Generative AI might be used to address API security.
BN: Why is API security problematic?
JS: APIs are easily exploitable because they are so numerous and are poorly managed. Almost a third of malicious requests are targeted at shadow APIs, that is APIs that the organization is not aware of and so does not monitor or update. Discovery is therefore a must to ensure APIs remain visible, are monitored and managed i.e. updated and deprecated correctly.
What few realize, however, is that even APIs that are well-coded and managed can be susceptible to business logic abuse. This sees the attacker study and use calls sent to the API to subvert it and gain access to other APIs or sensitive data. As the calls look legitimate, such attacks can be very difficult to detect.
Solutions such as Web Application Firewalls (WAFs) that look for signature-based attacks have been used in the past to monitor APIs, but these fail to spot the more subtle reconnaissance and exploitation associated with business logic abuse. Dedicated API security solutions resolve this by using behavioural analysis to look for attack patterns. Now GenAI could now help take this approach a step further.
BN: How could AI be used to complement machine learning and behavioural-based detection?
JS: Machine Learning algorithms are already being used to identify anomalous traffic patterns, but AI can be used to generate the rules, policies and models off the back of these to ensure continuous protection without the need for manual intervention. What's more, the two approaches can be used to look for and analyse various threat patterns concurrently so that threat hunting can take place across multiple API endpoints at the same time, dramatically improving the ability to detect and respond to threats.
BN: As API deployments grow, do we need to look at classification and prioritisation?
JS: Automatic identification of API hosts by established vendors will enable all APIs to be accounted for, eradicating the problem of shadow APIs, but monitoring a vast API estate will undoubtedly require those APIs to be assessed according to risk and protected accordingly. By customizing API definitions, teams will be able to categorize and catalogue APIs according to usage.
Similarly, by personalizing the discovery process it will become possible to pinpoint API hosts of interest -- such as those associated with particular product teams or hosting AI applications -- to enable threat detection and response specific to those.
Classification and prioritization cannot live in an island, this must feed into existing workflow tooling to ensure operational success.
BN: Could AI and ML help with testing APIs?
JS: Testing APIs is critical to ensure that they have been securely coded it's a complex undertaking. AI can help here by creating authentication profiles to test APIs using multiple user personas and privileges, for instance, allowing validation in the context of numerous users. Test cases, which are typically manually created today, could also be automated and made adaptive so that the API groups can be tested in response to different threat scenarios significantly reducing developer workloads.
Gen AI will be able to assist in converting what ML and behavioural based detection find into robust test plans, to ensure pre-production APIs are tested in complex ways that real adversaries are looking to abuse them.
BN: Large Language Model (LLM) applications are heavily dependent on APIs, so will we see AI used to test AI APIs?
JS: LLM applications rely on APIs so there is concern that APIs could be used to attack them. Helpfully, the OWASP Top 10 for LLMs and Generative AI apps identifies the most pressing vulnerabilities, with prompt injection, insecure output handling and training data poisoning topping the list. Organizations need to ensure they test and evaluate their generative applications against these threats, and this can be done by using synthetic traffic to identify vulnerabilities. AI-enabled testing can perform this process and provide the developer with the findings and recommendations on how to correct any issues, ensuring LLMs and GenAI apps are secure and are correctly catalogued, authenticated and audited prior to deployment.
BN: How important will AI be in securing APIs going forward?
JS: AI is going to become integral to security. If we look at reporting, for example, it will prove invaluable in helping to naturalise reporting requests, enabling teams to easily generate different reports from a security and a business context to give the right kind of information and visibility to each interested party. In this way it will eliminate the obstacle that has plagued the security function which is how do you communicate risk and exposure to the board effectively?
AI is here to stay but the sheer scale of APIs being deployed by organizations and the need to test and monitor these will see the technology become indispensable. In 2023, 71 percent of web traffic was identified as API with 1.5 billion calls to the average organization and that's only going to increase as we begin to see GenAI apps used in a commercial context. Those apps will in turn become a top target for attackers, so we really are going to need to use AI to secure AI. In many respects, AI promises to be a real boon in protecting APIs as it will allow us to become far more discerning in how secure these conduits and will take much of the pressure off developers when it comes to remediation.
Image Credit: Alexandersikov/Dreamstime.com