Jyoti Bansal is the founder and CEO of Harness and Traceable and the founder of Unusual Ventures.
When Chinese government-backed hackers accessed the Microsoft Exchange server in 2021, they didn’t break through tough firewalls to access the network. They came right in through an open door.
Application programming interfaces, or APIs, are bits of code that allow different software applications to interface and “talk” with each other. Increasingly, hackers exploit vulnerabilities in these open portals to access sensitive data and wreak havoc.
APIs help companies deliver seamless customer experiences, but here’s the problem: Their use proliferates so quickly that most companies don’t even know which and how many APIs they are using—let alone how to protect them from attack. This is known as API sprawl.
It’s the No. 1 cybersecurity issue you’ve probably never heard of. And it’s only getting worse. As someone who works in software delivery and cybersecurity, I know how hard it is to protect these essential interfaces from malicious activity. Here’s why API security matters and what every company should do this year to protect their customers’ valuable data and trust.
In the 20th century, cybersecurity meant creating firewalls to restrict unauthorized users from accessing computer systems or networks. However, with the current demand for interconnectivity, software users require more. This is where APIs come into play.
As I wrote in a recent LinkedIn blog post: "If a protected network is like a walled compound, APIs are the doors and windows that allow for the free flow of traffic. They enable the countless convenient integrations we use daily, from the weather widget on the home screen of your computer to the mapping website that shows the nearest dentist to the PayPal checkout button on an e-commerce website."
Security breaches, like T-Mobile’s recent disclosure of a breach that affected approximately 37 million customers, are regular reminders of potential API vulnerabilities.
But API security is paramount when sensitive data is transferred—as in banking, telecommunications, healthcare or some government services. This year alone, hackers gained access to the sensitive health information of more than 41 million people in 482 confirmed cybersecurity breaches at U.S. hospitals, doctors' offices and other healthcare providers.
Between the loss of business and the cost of detection and response, the average security breach costs companies around $9.44 million. That’s why all businesses must get a handle on API security this year.
Here are three essential steps to lock down your APIs in 2023.
APIs offer essential access points for exchanging digital information with the outside world. However, their ubiquity has led to a significant challenge for many organizations, which easily lose track of the number of shadow or orphaned APIs hidden in outdated code. You can’t protect what you can’t see.
To further complicate matters, a company’s API landscape includes its API services and all the APIs that customers and end users have connected to them. So the first step in API security is to discover and catalog all the APIs in your applications. This can be a complex task, as APIs are constantly added and updated. My company recently signed a multimillion-dollar deal with a major U.S. bank just to inventory their APIs.
But a comprehensive and continuously updated catalog is only the start in identifying malicious activity or vulnerabilities that could compromise user data.
When it comes to home security, we embrace a host of best practices to stay safe (e.g., locking the door when we’re away or not leaving valuables by open windows). A similar common-sense protocol is critical for API security.
This starts with adopting API governance policies that ensure APIs are documented and meet specific security standards.
Since it won’t work to build firewalls around these open portals, governance policies are necessarily nuanced. They need to ensure APIs are reliable, scalable and reusable across the entire API landscape. Most importantly, APIs should never expose more data than what is necessary to service the user.
Failing to do so can result in disaster—such as when hackers took advantage of a broken API to allow anyone to view and modify the account details of any of the U.S. Postal Service system’s 60 million online customers.
Technology like smart cameras and AI have revolutionized security and surveillance in our everyday lives. Even basic systems automatically flag suspicious activities, recognizing patterns and bad actors. When it comes to API security, this kind of intelligent surveillance is equally essential.
With APIs accounting for over half the internet traffic in many countries, it’s impossible for anyone, or even a team, to spot threats. But with AI and machine learning, it’s possible to monitor and identify issues in real time. The latest automated tools analyze spikes and other anomalies and alert human security teams when something is off. This enables even small companies to safely offer concierge customer experiences without having to employ an army of cybersecurity experts.
API security has largely flown under the radar, even as malicious actors have increasingly been helping themselves to private and sensitive data.
Moving forward, only companies that prioritize API security will earn the trust of users and consumers while saving themselves the cost and headaches of a massive data breach.
API security is not a one-and-done proposition but rather an ongoing process that requires time and resources. Perhaps that’s why hackers have had such a heyday exploiting pervasive vulnerabilities. It’s time for that heyday to end.