Use Cases and Challenges of API Security

Application programming interfaces, or APIs, are the glue that holds modern applications together — making them both indispensable to developers and an increasingly common attack vector. APIs connect different software systems and allow them to communicate with each other by enabling businesses to leverage existing internal and third-party functionality to quickly bring new features to market. 

However, this flow of data between systems is also an attractive target for attackers, who often target insecure authentication and authorization practices to steal, alter or jeopardize the availability of customers’ data,  in addition to putting sensitive systems at risk. As a result, protecting APIs should be a key concern for identity and security leaders. 

This blog post will be the first in a series that delves into API security. In this post, we’ll provide a primer on the use cases for API security, the unique challenges it presents and how AI-based anomaly detection may hold the key to strengthening the detection and mitigation of API-based attacks. 

Rapid growth requires rigorous security   

APIs are built for fast and agile development. Rather than reinventing the wheel in order to develop each new feature, APIs enable the use of pre-built functionalities and data access points to streamline development and reduce time-to-market. As such, APIs play a key role in digital transformation, enabling the creation of feature-rich digital applications, the use of microservices architecture and opportunities for new revenue streams and partnerships. 

But as businesses aggressively pursue digital transformation, developers learning new skill sets may make coding errors in applications or APIs that can expose vulnerabilities. And as API usage continues to fuel rapid release cycles across industries, even experts in API-based development may encounter errors in third-party dependencies or overlook security in the rush to bring new features to market. 

Uses of API security for protecting customers  

When it comes to identity theft, we often think of threats that target customers directly, such as credential stuffing and social engineering attacks. We also consider more sophisticated methods like SIM swaps and device takeovers. But these are far from the only means fraudsters use to gain access to customer data and accounts. 

Insecure, outdated and broken APIs are becoming an increasingly common attack vector, and nearly half of the Top 10 2023 OWASP API security risks are related to insecure authentication and authorization. In fact, vulnerabilities in third-party APIs were the cause of over 50% of data breaches in 2022, and analysts predict this trend will only increase as API usage continues to grow.  

API security protects customers by ensuring their data remains secure and available, enabling a variety of use cases for customer identity security, including: 

• Discovering all your applications’ APIs in order to keep them up-to-date and secure. 
• Preventing customer data exposure that can occur when attackers intercept API requests. 
• Reducing the risk of account takeover by protecting APIs used for secure login, two-factor authentication and password resets.
• Ensuring the availability of customer data by preventing Distributed Denial of Service (DDoS) attacks that use high-volume requests in order to knock services offline.  
• Protecting data from being altered in transit to ensure attackers do not manipulate user transactions or inject malicious code into the data returned to users.
• Securing privileged access by ensuring that only authorized users can access sensitive systems.

Challenges of API security 

As businesses ramp up their usage of APIs, they are becoming increasingly aware of the need to secure them — but accomplishing this task can be easier said than done. APIs are a tempting target for attackers, not only because of the range of malicious behavior they enable, but because they are often the easiest way to gain a foothold into applications. 

This is due to a number of challenges in the realm of API security, including: 

• The difficulty of discovery: Different departments often develop their own APIs or take advantage of third-party APIs that are unknown to security teams, as they are often considered an implementation detail. This challenge becomes even more difficult as apps grow more complex and new versions are released, or as large organizations gain API stacks through mergers and acquisitions.
• Attacks enabled by easy-to-obtain information: Attackers can reverse-engineer APIs from public documentation in order to gain access to them. Once these attacks are developed, fraudsters may develop configuration files for automating API attacks and sell them on the dark web, lowering the barrier to entry for less experienced attackers. 
• The complexity of access control: The user’s identity and attributes, their privacy preferences and the resources the user is attempting to access must all be taken into account in access control management, making decisioning rules difficult to develop and update, as continuous changes are needed to keep static rules from going stale. 

In addition to these challenges, the nature of API-based development makes detection a complicated task. Because API-based webpages and mobile applications are built with many loosely coupled components that make numerous discrete requests to deliver dynamic content, attackers can distribute malicious requests across multiple API calls, making the differences between legitimate and fraudulent requests much harder to spot.

But although man-made rules may struggle to detect these subtle risk signals, this kind of anomaly detection is exactly what AI-based solutions are built for. 

AI-based anomaly detection can improve API security

By analyzing API traffic metadata, machine-learning models can learn the patterns of normal API traffic in order to detect suspicious requests in real time. These models can be used to detect more subtle attack patterns that humans designing heuristic rules might not notice and improve — rather than degrade — over time by continuously learning from new data.  

But the use cases for AI-based detection goes far beyond improving detection and quickly adapting to new threats. AI-based engines deliver a range of benefits for API security, such as:

• Improving discovery and enforcing proper access control by determining which users are consuming which APIs
• Reducing false positives by analyzing API requests within the context of historical behavior and activities 
• Pinpointing suspicious behavior and broken or outdated APIs by analyzing error rates for each user and understanding which calls are frequent, infrequent and new
• Increasing efficiency by reducing the need for manual updates
• Finding patterns in attacks that can uncover complex fraud rings and large-scale campaigns, enabling fraud teams to quickly create rules with high impact
• Enhancing post-mortem investigations and real-time detection models using time-series anomaly detection to correlate past events with present threats and pinpoint anomalies and outliers during batch analyses.    

The convergence of API security and identity protection

API security is a critical component in safeguarding modern software systems against cyber threats — including the protection of customer data that can be leveraged for account takeovers and other identity-based threats. And as fraudsters continue to target weak authentication and authorization protocols in API attacks, developing robust API security strategies will become increasingly important for identity and security leaders alike. 

A holistic approach to client-side and API security can help businesses gain an end-to-end view of threats that target both end users and the APIs they interact with. And with AI-based solutions, they can gain proactive protection that keeps pace with fraudsters’ rapidly changing tactics. 

To learn more, stay tuned for our next blog in this series or contact Sales to find out how Transmit Security’s AI-based fraud detection can improve API security.