Blog

API Security Meets Government Regulators

February 1, 2023 | 4 MIN READ

by Tony Bailey

API Security Meets Government Regulators

The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security and recent data breaches and the potential theft of private data, have put a spotlight on API security.

API Abuses and Related Data Breaches

The ACSC provides a valuable service as businesses continue to move more of their operations to the cloud and more data moves through APIs. As these trends continue so to is an increase in API-based attacks. The Optus breach is only the latest example. Gartner predicts that by 2024, API abuses and related data breaches will double.

This recent string of API security incidents and data breaches highlights how attackers are leveraging Open Web Application Security Project (OWASP) categorized security gaps to execute their attacks. The techniques observed in these incidents mimic those outlined in the API Protection Report where attackers are actively mixing and matching the OWASP API security categorized threats to bypass common security controls.

A New Control to Ensure Clients Are Authenticated

As a potentially proactive step to help mitigate API threats, the ACSC had added API vulnerabilities to its influential Information Security Manual (ISM). The latest edition of the ISM, published by the ACSC, adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorized for release into the public domain.”

Attackers Performing New Levels of Analysis

These new controls are directly related to trying to prevent attackers using a combination of three different tactics to exploit APIs listed in the OWASP API Top Ten – Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9) – to bypass common security controls and achieve their end goal. The increased combination of these three threats indicates that attackers will be performing new levels of analysis to understand how each API works – including how they interact with one another and what the expected result will be.

Shadow APIs and API Security Controls

What complicates matters is security controls will only help if an organization is aware of all APIs used by the business. The challenge is that many companies have unknown or shadow APIs that are hosted by third parties, or are in use by developers, but not visible to the rest of the organization. New research by the Cequence CQ Prime Threat Research team confirms shadow APIs are the top threat challenging the industry with 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.

That is because shadow APIs are easy for attackers to discover by analyzing an organization’s exposed APIs and then simply fuzzing or modifying the values, enumerating through other API endpoints on different versions, under different hostnames to find other API variants.

Unified and Integrated Approach to API Protection

To combat the ever-present risk evident with APIs requires a unified and fully integrated approach that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases.

Cequence has taken the approach that an effective API protection solution should protect APIs across the entire lifecycle, leveraging a collaborative effort that includes developers, application owners and the security team to accomplish the following:

Security teams deploying Cequence Unified API Protection enable their organizations to help comply with regulations, industry requirements and security controls. Cequence improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance while creating attack futility, failure, and fatigue for even the most relentless of attackers.

Get Started Today with the Cequence Unified API Protection solution

Get a Free Security Assessment of your API attack surface

Tony Bailey

Author

Tony Bailey

Senior Director of Product Marketing

Tony has years of experience in security, cloud, and SaaS product marketing at Microsoft, Adobe, and Amazon Web Services. He focuses on driving cloud platform adoption, launching security solutions, and developing enterprise SaaS strategies.

Related Articles