Application Programming Interface (API) is a technology that enables and facilitates communication between different applications.

They’re an essential part of the current technological revolution—pipelines that enable a quick and seamless transfer of information and application functionality.

All industries can use and find value with APIs as they provide a bridge between two systems in order to obtain information.

The plethora of programming languages don’t work well together. So, when one app needs to interact with the functionality of another app, things can get messy and challenging.

APIs solved this problem by acting as a common set of functions that can act as a translator or intermediary between different apps.

APIs bring a new level of modularity to applications. APIs allow developers to leverage the expertise of other applications. When an organization develops an application, they no longer need to reinvent the wheel when it comes to things like authentication, communication, payment processing, and maps.

Instead developers can leverage the seamless plug in capabilities and functionality of APIs. APIs allow applications and system components to communicate with each other on internal networks as well as over the Internet.

They’ve become integral to enterprise efforts to make internal applications and services accessible over the Internet to business customers, partners, suppliers, and other third parties.

Asking if APIs are secure is like asking if web applications are secure. So, the easy answer is it completely depends on the implementation and life cycle management.

APIs can be secure, but due to the quantity and complexity of APIs, it’s easy to have security gaps. Like many other facets of cybersecurity, the API defenders must get defense right every time, while an attacker only needs one weakness for a successful compromise.

An organization can have dozens, hundreds, and even thousands of APIs connecting internal applications to each other and the outside world. APIs can provide a direct gateway from the outside to an organization's critical data and applications if they aren’t properly secured.

The problem is API adoption tends to exceed the rate at which organizations can secure and manage them.

Over the years, an organization may have done a lot of work adding firewalls, segmentation, vulnerability management programs, and more, but if an organization has insecure APIs, then an attacker could evade many typical security measures. An insecure API exposed to the internet could lead to a serious compromise.

If you don’t properly manage the security of your APIs, it could be a recipe for disaster and pave the way for a major security breach.

Salt Security surveyed nearly 200 security, application, and DevOps professionals about their API concerns in February 2021. The results showed 91% of organizations involved in the survey suffered an API-related problem within the last year.

54% reported finding vulnerabilities in their APIs, 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools.

For example, Peloton exposed data of its three million subscribers in 2021 due to a bug that allowed access to their private account data on Peloton’s servers even for private profiles.

The flaw allowed any Internet user to access subscribers’ personal information such as age, gender, location, birthday, and more.

This information was easy to retrieve and no special hacking tools were required—just knowledge of how to use a browser to query and modify data elements.

The question is—are your organization’s APIs part of a vulnerability management program?

API vulnerability management could be broken if:

• APIs aren’t a part of vulnerability management programs and are overlooked
• Information security teams lack the knowledge to thoroughly test APIs
• APIs are tested generically and false negatives provide organizations with a false sense of security
• APIs are only tested by the development team
• APIs aren’t considered with an adversarial mindset

Vulnerability scans that weren’t designed for API vulnerabilities will result in false-negative findings. False negative vulnerability results are one of the most dangerous threats to plague an information security program.

These results are dangerous because they suggest that your APIs are secure due to a lack of findings, however, it’s much more likely that the scanner didn’t test for the top API weaknesses.

A false negative occurs when a vulnerability scanner indicates nothing is wrong, but an existing vulnerability has gone undetected. This could happen if an API is scanned generically.

Each API is unique in the set of business functionality and this presents a problem to most vulnerability scanners. The vulnerability scan may detect common security misconfigurations but will miss most of the vulnerabilities indicated on the OWASP API Security Top 10.

The OWASP API Security Top 10 is an excellent cheat sheet that helps you understand the highest vulnerabilities that plague APIs, such as business logic flaws.

Business logic flaws are features of an application that can be used maliciously because they’re vulnerable by design. In other words, these flaws are present in an application’s code and are exceedingly difficult to detect for most automated scans.

APIs must be tested from an adversarial standpoint that mimics how they would be exploited by a malicious user. An API penetration test is one of the best ways to discover common vulnerabilities and business logic flaws.

A good API penetration test will test for common vulnerabilities, business logic flaws, validate findings, and demonstrate what an attacker would accomplish with the given weaknesses.

The most valuable part of a penetration test is getting a comprehensive report that describes the findings, associated risks, and remediation recommendations.