Follow
Follow
News
By Matias Madou for Security Infowatch
Fans of the hit comic and TV series The Walking Dead might be pleased to see plenty of spinoff shows planned, despite the original series ending. As thrilling as it is to see hordes of zombies wreaking havoc on the last lines of defense of the human race, I can’t say the same sentiment is particularly appealing when discussing APIs.
The State of API Security Q1 2023 report from Salt Labs paints a grim picture of the climate surrounding API security in most enterprises, with “zombie APIs” a key factor in API-related cyberattacks surging by 400% compared to the previous six-month period. This is a harrowing consequence of widespread API use, especially as it relates to expanding an organization’s attack surface. It’s the new paydirt, the low-hanging fruit for attackers looking for quick wins that could pay off big time.
But let’s get back to zombies.
Most companies have multiple business cases that necessitate the use of APIs, with software integrations essential to increasingly dispersed workforces. However, it’s not common knowledge that the average organization has over 15,000 in place – and if we’re talking large enterprises, make that over 25,000.
The problem is, though, that while these APIs might be in place, that’s quite different from them all being in active use. Often, once the initial project or use case for its existence has reached its conclusion, the API might be forgotten about, forever banished to the background. This wouldn’t be an issue except that they are, by design, configured to be very chatty with other applications and often left wide open - from an authentication perspective - for functionality and ease of use.
If an obsolete (or, zombie) API is not properly decommissioned, it’s potentially a window of opportunity for a threat actor to crawl through and start accessing multiple parts of a system, usually undetected thanks to broken access control protocols. Now imagine there are hundreds - or thousands - of these, lying dormant and just waiting to be exploited. It’s the stuff of nightmares for a security leader, and a huge headache for ill-equipped developers to manage on their own.
An API is a tiny, powerful software interface that truly accelerates our ability to innovate, connect our world, and share data in convenient, streamlined ways. They are indispensable, but we are kidding ourselves if we ignore the inherent risk that is part of their use. We’ve become accustomed to ignoring API security best practices in favor of seamless testing and functionality.
There have been some devastating, large-scale breaches in the past year alone that can be attributed to API security failures, with TechWire Asia estimating that API vulnerabilities cost businesses up to $75 billion annually. That is an enormous cost for successful exploits that rarely take a mastermind to execute if we’re being honest. If we insisted on prioritizing secure development in general - not to mention educating developers accordingly - there would be far fewer opportunities for attackers to make a mockery of enterprise systems.
As an industry, we have a lot more work to do in prioritizing API threat detection and remediation. Low visibility over APIs - including record-keeping and how they have been built - is a considerable concern, and it’s something that should be demanded as part of security best practices.
There is a monolithic barrier blocking most organizations from achieving better API security outcomes, and that is the distinct lack of ownership surrounding them. They are a perpetual hot potato…
Continue reading the full article here: Attack of the Zombie APIs
About the author:
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Interested in AI? Check here to see what TechTalk AI Impact events are happening in your area.
