Checkmarx’s Avi Hein on bringing ‘critical’ API security concerns to the boardroom.
Serving as the intermediary layer between different systems and services, APIs have emerged as fundamental building blocks in the architecture of modern business applications. Their proliferation has been rapid and far-reaching, leading to what industry experts now term ‘API sprawl’.
The extensive integration of APIs brings huge benefits but also a host of security challenges that can no longer be relegated to the confines of IT departments and security teams. We’re now in an era of the ‘API-driven everything’ environment where so many of the applications running our lives are powered by APIs.
The complexity and scale of deployments have escalated the risks associated with their use. This ranges from data breaches to unauthorised access – posing significant threats to an organisation’s operational integrity, financial stability and reputation.
Just last year, telco giant T-Mobile experienced a major API breach that affected 37m accounts and the remediation efforts of the breach cost the company hundreds of millions of dollars.
While security professionals are aware of these risks, the true scope of API security demands a strategic, top-down approach, beginning at the highest levels of organisational leadership. Securing APIs is not just a technical issue but a critical business issue which can have serious financial consequences, as well as damage an organisation’s reputation and credibility.
The hidden risks of zombie and shadow APIs
There is a prevailing trend of ‘API-driven everything’ where APIs are the linchpin of digital interactions and processes. This is driven by the demand for seamless integration between applications, platforms and services, enabling businesses to rapidly deliver innovative services and cohesive user experiences. In 2023, the number of developers working on APIs increased by more than 30pc, highlighting the growing centrality of APIs in software development and digital strategy.
However, with businesses increasingly connecting services and functionalities through APIs, the network morphs into a complex maze of data pathways. This sprawl makes it extremely difficult to keep track of each API and increases the risk of teams overlooking critical security gaps. You can’t secure what you can’t see.
The problem is not merely the quantity of APIs but the pivotal role they play in facilitating access to sensitive data. The lack of visibility within this sprawling network amplifies security risks, creating hidden dangers within the enterprise’s digital infrastructure.
The emergence of zombie and shadow APIs is a direct consequence of this rapid and often uncontrolled expansion of APIs. These APIs, either remnants of legacy systems (zombie) or created but not documented and shared with security (shadow), lurk in the digital shadows of enterprises. Their invisibility creates the security risk as, without proper tracking and security measures, these APIs become silent gateways for cybercriminals, leading to potential data breaches and system infiltrations.
The strategic imperatives of API security
Moving beyond the immediate security threats posed by zombie and shadow APIs, we must consider the strategic challenges in API security. The rapid adoption of technologies and practices that contribute to API sprawl, such as microservices architecture, cloud services and the IoT, has fundamentally altered the cybersecurity landscape. It’s projected that there will be 1.7bn APIs in use by 2030, which means that traditional AppSec models designed to protect in-house codes on local systems and local data centres are no longer sufficient.
There’s also a significant lack of standardisation across APIs, with departments or teams potentially adopting different security practices. For instance, some teams may implement authentication protocols like OAuth 2.0 for their APIs, ensuring that access is securely controlled through tokens. Others might rely on basic API keys, which are less secure and more susceptible to interception. This inconsistency creates gaps that can be exploited by threat actors. The absence of a unified approach makes it difficult to enforce comprehensive security measures and complicates compliance with various regulatory requirements.
Furthermore, the rapid pace of digital innovation, while significant for business agility and growth, poses critical challenges for application security. The quick development and deployment of APIs can sometimes outpace the implementation of adequate security measures. This disconnect highlights the need for security considerations to be an integral part of the development process, rather than an afterthought. It also underlines the importance of embedding API security within the entire CI/CD pipeline, from code to cloud. This means taking a comprehensive approach to security that extends beyond traditional source code and APIs to include containers, Infrastructure as Code (IaC), open-source components and the software supply chain at large.
Another important aspect is that business leaders often underestimate or even fail to think about the risks associated with APIs. While the dangers of unsecured APIs are well-known within IT circles, their potential impact on the wider business, such as disruption to critical operations or data breaches, is often not fully appreciated at higher levels of management. Addressing these challenges requires a shift in perspective at the highest levels of corporate governance.
Understanding the role of the C-suite in API security
To address the increasing risks of API sprawl in today’s network ecosystem, the C-Suite needs to be proactively involved in API security. This means seeing API security as a critical component of the company’s risk management and strategic planning, especially considering the specific risks API vulnerabilities pose to operational integrity, customer trust and financial stability.
Boardroom conversations need to focus on targeted investments in API management, including advanced security technologies, expert personnel and comprehensive training programs. These board-level conversations need to focus on how their applications are secured and ensure that proactive measures are in place to protect the entire SDLC from code-to-cloud.
This transformation would involve removing barriers that traditionally separate technical teams from the C-Suite, such as a lack of shared language, organisational silos that hinder cross-functional collaboration, and the absence of structured opportunities for cross-disciplinary engagement. Removing these barriers will help to foster a culture of open communication and mutual understanding.
The C-Suite leaders must clarify ownership and accountability for API security, ensuring responsibilities are explicitly defined and understood across all levels of the organisation. C-Suite leaders need to ask the tough questions, ensuring that they have a comprehensive API inventory that includes not only known APIs but also the unknown shadow and zombie APIs. This includes AppSec teams and CISOs, as well as executives who oversee and allocate resources for security measures. This will help organisations to manage API security as a collective goal, aligning with broader business objectives and mitigating risks more efficiently.
The frontline of API security
It is crucial that CISOs lead API security initiatives. They must advocate for and oversee the integration of comprehensive AppSec platforms that includes both SAST and DAST security solutions. SAST tools play a crucial role in identifying vulnerabilities in source code early in the development process. Similarly, DAST tools are also critical for testing APIs and endpoints in live environments, where they can simulate attacks on production systems to uncover runtime vulnerabilities.
Some SAST and DAST tools can proactively identify shadow and zombie APIs and centralise APIs in a single inventory. This allows for a more thorough discovery of API vulnerabilities, ensuring that APIs are identified, robustly tested and secure across all stages of the SDLC.
Overall, the role of the C-Suite in API security is not just about oversight or endorsement; it’s about active participation and leadership in a domain that is rapidly becoming a cornerstone of business integrity and continuity.
As we advance further into a digitally interconnected world, the leadership’s commitment to API security will be a critical determinant of an organisation’s resilience and success in the face of evolving cyberthreats.
By Avi Hein
Avi Hein is a product marketing manager at Checkmarx, an enterprise application security company headquartered in Atlanta, US. Hein has more than 15 years of experience, with extensive product and corporate marketing skills, and has worked for leading cybersecurity and developer tool companies.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
