IT Brief Australia logo
Technology news for Australia's largest enterprises
Story image

The growing importance of establishing effective API security

By Contributor
Wed 2 Mar 2022

Article by Secure Code Warrior co-founder and chief executive officer, Pieter Danhieux.

Cybercriminals have tended to focus on acquiring user credentials to maximise their ability to traverse targeted IT infrastructures. They use them to gain access to mount their planned attack and cause as much disruption as possible.

However, this focus is changing as increasing numbers of criminals turn their attention to the credentials held by application programming interfaces (APIs). Indeed, according to research by content delivery network Akamai,  almost 75% of attacks directly target such API credentials.

Increasing popularity

When you consider the role played by APIs within a security infrastructure, it's unsurprising that they have become such popular targets. They are a critical element in most cloud-based services, which are rapidly taking over the functions of on-premises assets at most organisations.

It's now effectively impossible to run any business or process these days without the cloud. This means that APIs have become the glue that binds many different services together.

For a business, API usage delivers some significant benefits. They are primarily small and unobtrusive in terms of network resource allocation. They are also very flexible, which means security teams can task them to perform almost any job.

Essentially, APIs are individual pieces of software tailored to control or manage a particular program or process. As a result, security teams can use them to perform very specific functions, such as accessing data from a host operating system, application, or service.

The risk of being overlooked

Unfortunately, APIs' flexibility and the fact that they are often small and overlooked by security teams make them attractive targets for cybercriminals. Most APIs have also tended to be designed with flexibility rather than security in mind.

There are also very few standards that are followed during API development. If they are coded by developers who aren't very security-aware, the APIs likely will have any number of vulnerabilities that attackers can find and exploit.

This is a problem that is quickly getting out of hand. According to research firm Gartner, in 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.

Attackers have a specific goal when it comes to targeting APIs. They don't particularly want to take over whatever specific function the API performs but rather want to steal the credentials associated with it.

In many cases, APIs are often way over permissioned for their core functionality. Indeed, many have near administrator-level access on a network. For this reason, if an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into the wider infrastructure.

Also, because APIs have permission to perform whatever tasks an attacker redirects it toward, their actions can often bypass traditional cybersecurity monitoring because the API does not break any rules and trigger an alert.

Improving API protection

While the security situation around APIs has become very concerning, it's far from a lost cause. On the contrary, big efforts are being made to ensure developers are more aware of the risks and encourage them to adopt security best practices in all aspects of software creation, testing, and deployment.

The range of best practices that organisations can introduce to improve their level of API security include:

  • Improve API identity controls: It's important to treat APIs similarly to users when assigning permissions. If an API has been designed to do a specific function, consider what could happen if an attacker compromised it. Think about using role-based access control and apply zero-trust principles. It can also be worthwhile to include APIs as part of the organisation's wider identity management program.
  • Put limits on API calls: Limiting those calls to very context-centred requests makes it much more difficult for an attacker to modify them for nefarious purposes.
  • Make use of a layered operational approach: A powerful way to improve security is to begin by having an initial API make a highly contextual call to another API that knows exactly what to look for and what to ignore. This approach effectively limits the functionality available to a cybercriminal who may have gained control of the API and is attempting to use it as part of an attack.

The security weaknesses within APIs can seem daunting and appear to be a significant threat to infrastructure security. However, by ensuring developers are aware of the importance of including effective measures in their code designs and by limiting API permissions, the sought-after business benefits can be achieved without increasing levels of risk.

Article by Secure Code Warrior co-founder and chief executive officer, Pieter Danhieux.

Related stories
Top stories
Story image
Delinea’s Joseph Carson recognised with OnCon Icon Award
Delinea chief security scientist and advisory CISO Joseph Carson has been recognised as a Top 50 Information Security Professional in the 2022 OnCon Icon Awards.
Story image
Artificial Intelligence
Dynatrace extends automatic release validation capabilities
Dynatrace has extended its platform release validation capabilities to improve user experience at every stage of the software development lifecycle.
Story image
Adobe study finds lack of digital trust and utilisation in Australian Government agencies
New research commissioned by Adobe has revealed a significant lack of digital trust within Australian Government departments, along with the continued underutilisation of key digital processes.
Story image
Artificial Intelligence
Eight top DevSecOps trends to support IT innovation in 2022
The use of DevSecOps practices is growing, as it is increasingly seen as the best way to produce high-quality and secure code. So what are the current trends?
Story image
Hybrid Cloud
Advent One acquires Layer 8 Networks, complements hybrid cloud offering
The acquisition comes at a time of surging demand in hybrid cloud, network virtualisation and network security.
Story image
Video: 10 Minute IT Jams - An update from CyberArk
Olly Stimpson joins us today to discuss the importance of MSP programmes and how MSP partners are experiencing success with CyberArk.
Story image
Artificial Intelligence
Juniper study reveals top AI trends in APAC region
Juniper's research shows an increase in enterprise artificial intelligence adoption over the last 12 months is yielding tangible benefits to organisations.
Story image
Microsoft names A/NZ Partner of the Year award winners
The awards recognise partners across the globe for their innovative use of Microsoft technologies to help customers succeed.
Story image
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
WSLHD and PwC’s Consulting Business came together to solve through the challenges of COVID-19. A model of care was developed to the NSW Health Agency for Clinical Innovation guidelines with new technology platforms and an entirely new workforce.
Link image
Project management
Discover the 4 crucial factors for choosing the right job-costing solution. Is your team struggling to cost jobs and keep projects running on budget?
Link image
Story image
Voice recognition
Renesas and Cyberon expand services with voice recognition
“We are honoured to collaborate with Renesas to simplify the development of embedded voice recognition functions."
Story image
Enterprise Resource Planning / ERP
Five ways your ERP is letting you down and why its time for a change
Wiise explains while moving to a new system may seem daunting, the truth is that legacy systems could be holding your business back.
Story image
Australian consumers loyal to retailers who deliver speed and visibility
SOTI finds extensive order visibility and speed are the most important factors for turning one-off customers into loyal, long-term buyers.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Robotic Process Automation / RPA
Salesforce announces latest generation of MuleSoft
Salesforce has introduced the next generation of MuleSoft, a unified solution for automation, integration and APIs to automate any workflow.
Supply chain
Discover the 4 critical priorities for wholesale distribution businesses in FY23. Are you worried about how supply chain issues may affect your business in 2023?
Link image
Digital Transformation
Discover the 5 signs your business is ready for a cloud-based ERP. Is your business being left behind as more of your competitors switch to the cloud?
Link image
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
Four factors to consider when choosing the right job accounting solution
Progressive job-based businesses can achieve success by strengthening their ability to quantify every cost attributable to the delivery of an outcome for a customer.
PwC's Consulting Business and PwC's Indigenous Consulting are proud to play an important role in helping Australian Indigenous Mentoring Experience build IMAGI-NATION, a free online university for marginalised communities around the world.
Link image
Story image
Data Protection
Five signs your business is ready to move to the cloud
Many organisations are thinking about moving to the cloud. But what are the signs you are ready, and what are the reasons to move?
Story image
New VMware offerings improve cloud infrastructure management
VMware has unveiled VMware vSphere+ and VMware vSAN+ to help organisations bring benefits of the cloud to existing on-prem infrastructure.
Story image
New study reveals 51% of employees using unauthorised apps
The research shows that 92% of employees and managers in large enterprises want full control over applications, but they don't have it.
Story image
SentinelOne integrates with Torq to empower security teams
"With Torq, security teams can extend the power of SentinelOne to systems across the organisation to benefit from a proactive security posture.”
Story image
Cloudian, Vertica to deliver on-premise data warehouse platform
"We’re enabling our customers to capitalise on a leading object storage platform and maximise the value of their digital assets.”
Story image
SNP unveils next generation of CrystalBridge software platform
Data is a key pillar of every customer-centric organisation, as it relies on agile decisions to become increasingly sustainable and intelligent.
Story image
Civil Defence
OutSystems platform chosen as part of ADF contract
"To be included in this project is a reflection of our ability to deliver secure, modern digital outcomes for defence at an incredible pace."
Story image
Four things wholesale distributors need to consider for FY2023
In a post-pandemic world, there are many things for a distribution business to juggle. ERP solutions company Wiise narrows down what companies should focus on.
Story image
Tech and data’s role in the changing face of compliance
Accenture's study found that 93% of respondents agree or strongly agree new technologies such as AI and cloud make compliance easier.
Story image
Digital Transformation
Google Cloud launches new Digital Accelerator bundles for Aussie SMBs
The new bundles are designed to help Australian small and medium-sized businesses embrace digital transformation and take their businesses online.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
How the metaverse will change the future of the supply chain
The metaverse is set to significantly change the way we live and work, so what problems can it solve in supply chain management?
Story image
How New South Wales state departments achieved cloud migration success
State departments in New South Wales are heading to the cloud to achieve better workflow solutions, and one company is paving the way for their success.
Story image
FIDO Alliance releases guidelines for optimising UX with FIDO Security Keys
The new guidelines aim to accelerate multi-factor authentication deployment and adoption with FIDO security keys.
Story image
Public Cloud
Public cloud services revenues top $400 billion in 2021
"For the next several years, leading cloud providers will play a critical role in helping enterprises navigate the current storms of disruption."
Story image
ASI Solutions named finalist of Microsoft Surface Partner of the Year
"ASI Solutions has a strong Microsoft focus, building value by helping customers maximise investment in modern workplace solutions."
Story image
Internet of Things
ManageEngine wins big in IDC MarketScape assessment
ManageEngine's Endpoint Central service has been recognised as a leader by IDC MarketScape in several categories including Internet of Things device deployments and UEM software for SMEs.
Story image
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Discover the 5 ways your ERP may be letting you down. Is your current system outdated, difficult to manage, and costing you a fortune?
Link image
Story image
Identity and Access Management
Ping Identity named a Leader in Access Management
Ping Identity has been named a leader in the 2022 KuppingerCole Leadership Compass report for Access Management. 
Story image
Oracle Cloud
Commvault, Oracle to deliver Metallic Data Management as a Service
"We are excited to partner with Commvault and enable our customers to restore and recover their most mission-critical cloud data."
Story image
Evonik relies on Getac F110 tablet to control autonomous robot
The aim of the project is to evaluate the practicality of an automated robotic maintenance and inspection solution in the chemical industry.