- APIs are pervasive, critical to the current pace of tech innovation and inherently insecure.
- API gateways are one option to help simplify API management and better guard their security.
- Deploying an API security platform can provide a unified approach to securing APIs from a variety of threats.
The rapid advancement of technology has become something of an expectation for consumers and businesses alike. Traditional work models and personal behaviors have been casually upended, driven by the fast-moving technical innovations and modernizations of digital transformation.
Some have seen this sea change on the horizon for some time. When the first generation Apple iPhone was introduced in 2007 using Cingular/ATT’s 2.5G network, Steve Jobs predicted it would be a “breakthrough Internet communicator”. This kicked off a wave of digital transformation, accelerated even more by the global pandemic, which has been labeled the 4th Industrial Revolution (4IR).
Technology adapting faster, thanks to APIs
Now, 17 years later, humans routinely rely on mobile phones to access databases for work, catch up on the latest video global dance meme, attend a business meeting and do some personal banking while pre-ordering their coffee customized just the way they like it. They do this all while physically shifting locations and connecting across networks. Users expect all of these functions to deliver optimized, customized content, seamless performance and lightning-fast responses, while keeping their private and financial data secure. One of the key components making these complex connections and integrations possible is application programming interfaces, or APIs.
At its base level, an API is a set of rules that connect two distinctly different software functions so they can interact without a custom buildout to orchestrate and exchange data. Think of it like digital duct tape—they can connect many functions to many functions, even if one thing was not specifically designed to be connected to the other. There are standardized open-source APIs and many others build custom APIs. The massive growth in new AI applications and workloads are also API-dependent—GPU OEM Nvidia even has their own APIs.
APIs have grown exponentially
In F5's recent annual report, F5 State of Application Security Report 2024, respondents indicated that organizations reporting between $200M-$1B in revenue run an average of 499 APIs.
Because applications increasingly relying on APIs, their proliferation creates new problems:
“The explosive growth in modern apps and their microservices has created an exponential rise in the number of APIs, too. First, the addition of a layer of APIs has been a preferred method of modernizing apps for several years running. In addition, digital transformation tends to consolidate applications but increase the use of APIs as processes are automated, individual apps are integrated, and siloed business data converge into one source of truth. Increased use of AI also means more APIs. Because AI apps are frequently based on multiple APIs, further deployment will create an even greater flood of public APIs. The result has ushered in a new era in which APIs can be as critical to the business as apps themselves—and even harder to protect, monitor, and manage.” |
Some quick points on API functionality
- Each API has two endpoints, literally where the two functions connect.
- Each API request generates at its base level, two “API calls”. One outbound request to the app endpoint for information, and one inbound to bring the information back to the requesting endpoint. (Here’s a terrific API explainer video from F5’s Dev Central team for a deeper dive.)
- According to various security industry statistics estimates in 2023: 70%-80% of ALL internet traffic consists of API calls.
APIs have inherent security issues
APIs are connecting everything, but over time may be running on broken authentication or be misconfigured. Additionally, reliance on multiple APIs has created a new issue of “ghost” or “shadow” APIs that are unknown or not managed—an example may be someone built a custom API and didn’t document it, so it’s still running invisibly. Or a new API may have been built on top of an undocumented API and both are operating for the same function without data visibility or management. Or the endpoints changed on one side or both.
API ease of use and ubiquity is both their strength and weakness:
- Open by design: APIs are created to share access to data and applications.
- Larger attack surface: Every API and endpoint expands the potential attack surface.
- Difficult to observe: API attacks can evolve slowly with small requests over weeks or months.
- Exposes extra data: Developers build flexible APIs that provide more data than required.
- Predictable structure: APIs adhere to logical architectures (REST) making them easy to probe.
- Lack protections: APIs are often deployed without basic protections like access control.
You can see why OWASP has expanded to a separate Top 10 API Security Risk list in 2023.
API discovery, management and security already a threat risk before AI
What are some approaches to manage and update your APIs?
- Automate app and API security infrastructure. That includes automating API discovery.
- Deploy API gateways to help simplify API management and better guard their security. API gateways offer a valuable layer of protection by authenticating API calls, ensuring valid requests and rate limiting to guard against being flooded with attacks.
- Consider deploying an API security platform such as F5’s award-winning Distributed Cloud API Security for a unified approach to securing APIs from a variety of threats. It combines security features, such as web application firewall (WAF), bot protection, and threat intelligence, for apps that are often distributed across multiple cloud environments. It secures APIs with continuous API discovery, consistent monitoring, governance, and API protection capabilities to control API behavior, block and limit sensitive data exposure, along with other functionality.