Ensuring API security is essential for protecting sensitive data and maintaining the integrity of software systems. There are various measures that can be taken to enhance API security, such as implementing authentication and authorization protocols, using secure communication channels, and regularly testing and updating APIs. This is especially important when your systems and applications are hosted mainly in the cloud – an issue that Google has identified in 2016 already, when it acquired Apigee, and integrated the startup’s cloud-based API creation and management platform into a service available for Google Cloud Platform customers. Last year, Google announced the public preview of Advanced API Security, a comprehensive set of API security capabilities built on Apigee, their API management platform. Cyber Protection Magazine had the chance to interview Bernd Wagner, Managing Director Google Cloud Germany, about their new API security offering.
Cyber Protection Magazine: What is the role of APIs in general and how has this evolved over time?
Bernd Wagner: Companies worldwide rely on Application Programming Interfaces, or APIs, to facilitate digital experiences and unleash the potential energy of their own data and processes. APIs are a critical link in simplifying and standardizing the delivery of services and data for digital experiences. APIs also serve a critical role in the race to modernize applications, fueling interoperability and, in turn, efficient functionality. This development is causing the use of APIs and API traffic to increase.
Over time, the role of APIs has evolved from technology enablers to business enablers. Today, organizations across the globe participate in and gain tremendous value from an API economy through direct monetization of data and services in the form of easily consumable APIs. Moreover, APIs have enabled organizations to accelerate the development and delivery of business-driven solutions while driving increased adoption and profitability.
Cyber Protection Magazine: Looking at the increasingly important role of APIs, why is security for APIs so important and how can it be achieved?
Bernd Wagner: APIs are the driving force behind digital business ecosystems that encompass a network of partners, developers, and customers facilitated by modern, cloud-first technologies. But the proliferation and importance of APIs comes with a risk. As a gateway to a wealth of information and systems APIs have become a favorite target for hackers.
Today, securing APIs requires visibility across all application interactions and observing, analyzing, and taking action at every level of the technology stack using an API management solution. It’s no wonder that when considering the components of their API programs, enterprises put security at the very top with 66% saying it’s a priority.
Cyber Protection Magazine: Which are the most common vulnerabilities for APIs, and, vice versa, what is the most common attack vector for APIs?
Bernd Wagner: According to the research conducted by Google Cloud between May and June 2022 among technology leaders from companies in the United States with at least 1,500 employees, the three most common sources of potential threats for APIs are:
- Security misconfigurations
- Outdated APIs, data, and components
- Bots, spam, and abuse
Misconfigurations, as a category, are the most identified threat area with 2 of 5 IT decision-makers selecting either security misconfiguration or misconfigured APIs.
Cyber Protection Magazine: How does Google in an increasingly cloud-focused world ensure the security and protection of APIs?
Bernd Wagner: API security involves monitoring and managing access to your APIs, guarding against malicious message content, accessing and masking sensitive encrypted data at runtime, protecting your backend services against direct access, and other important safeguards. Google Cloud’s security model, world-scale infrastructure, and unique capability to innovate help keep organizations secure and compliant.
Specifically, our API management solutions – Apigee helps organizations enforce consistent security best practices and governance policies across all APIs to make it easier for IT teams to protect their data. Today, organizations across the globe already trust Apigee’s scale and performance to manage their APIs. For these customers, Apigee currently provides important API protection with capabilities such as API abuse prevention, authorization & authentication management, monitoring, and security reporting.
Additionally, we recently announced the launch of Advanced API Security add-on for Apigee customers. With this launch, we are taking our existing API security capabilities to a new level by adding bot detection and API misconfiguration identification solutions to target two of the most critical pain points in API security. Advanced API Security will enable Apigee customers to further strengthen their API security by more easily detecting and mitigating security threats.Advanced API Security uses pre-configured rules to provide API teams with an easier way to identify malicious bots in API traffic. Each rule represents a different type of unusual traffic that can be associated with a single IP address. When an API traffic pattern matches one of these rules, Advanced API Security reports it as a bot.
In addition, Advanced API Security speeds up the process of identifying security breaches by identifying bots that have successfully received the HTTP 200 OK response code for success status.
As mentioned in our earlier responses, misconfigured APIs are one of the leading reasons for API security incidents. While identifying and resolving API misconfigurations is a top priority for many organizations, the configuration management process is time consuming and requires considerable resources.
Advanced API Security makes it easier for API teams to identify API proxies that do not conform to security standards. To help identify APIs that are misconfigured or experiencing abuse, Advanced API Security continuously assesses all managed APIs and provides API teams with a recommended action when configuration issues are detected.
Cyber Protection Magazine: One of the new security features in Apigee is the identification of Bots. In “regular” web traffic, bots are often responsible for more traffic than regular visitors. Is this (already) similar when it comes to API attacks, i.e. automated bot attacks against APIs vs. manual API attacks, but also vs. “other” types of cybersecurity attacks?
Bernd Wagner: Yes, APIs face the same threats as software and web apps, but because they have a unique set of vulnerabilities, they also face unique threats.
With more business being done online than ever before, there is an increase in API traffic volumes, and along with that an increase in bot attacks. Comparing 2020 and 2021 Black Friday, Apigee saw an increase of 46% in API Traffic.
A considerable amount of this API traffic comes from automated actors that engage in credential stuffing, brute forcing, and content scraping. The stakes are high for businesses to secure their APIs against bot attacks. Despite being aware of the rise in bot attacks, most organizations are not prepared to fend off threats. Most are not using the right combination of security products to protect against bots.
The most important thing to remember is that organizations can’t secure their APIs against threats that they can’t see. It’s important to establish API traffic visibility through an API management platform like Apigee where they’ll be able to observe and capitalize upon good, legitimate traffic while also being able to identify and block against bad actors. Apigee’s Advanced API Security provides API teams an easier way to identify malicious bots within API traffic. Furthermore, Advanced API Security speeds up the process of identifying data breaches.
Cyber Protection Magazine: Despite the connected age we’re living in, we are still at the beginning of the “digitization” phase, with quite a few companies still transitioning to digital processes, but also with technological advancements (such as the IoT) which will bring a lot more devices – with more needs for interfaces generally and APIs specifically. What does that mean for the future of API security?
Bernd Wagner: Organizations in every region and industry are increasingly producing and consuming APIs because they enable easier and more standardized delivery of services and data for digital experiences. Because of the increasing shift to digital experiences, API usage and traffic volumes have grown. Although we’re seeing great growth and adoption in this space, API security challenges have emerged as a top concern for most software engineering leaders. As APIs are becoming more intertwined with business practices, API security is becoming the battleground for decreasing application and business risk.
IT teams need more advanced tools to help with detecting, preventing, and protecting against API security threats – without slowing down the pace of innovation. Adopting an API management platform is the logical step, enabling IT teams to leverage an API proxy to implement granular authentication, authorization, governance, and data access policies that provide fine-grained enforcement for access to data and resources.
Cyber Protection Magazine: What do you expect the API security landscape to look like 5 years from now?
Bernd Wagner: With the ever-increasing adoption of digital experiences across the world, we expect the use of APIs to continue to rise at an accelerated pace within the next 5 years. With this rise, the importance of API security will represent itself as a significant area of business risk for organizations.
Traditional API security practices, such as perimeter-based security or the adoption of point solutions, that once provided robust protection will no longer be sufficient to protect from evolving threats. Due to this, organizations will need to apply comprehensive security and governance at every point of interaction within a connected experience. An end-to-end application and API security approach will be important to mitigate security risks.
Another area of opportunity is the application of Artificial Intelligence (AI) and Machine Learning (ML) technologies to optimizing existing API security initiatives. Today, many of the IT organizations are leveraging a rules-based approach to identifying and resolving possible security threats. However, with the advancement of AI and ML technologies, there are new opportunities to enhance how API security threats are detected and resolved.