Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Addressing Trends in API Security

By Richard Bird, Chief Security Officer, Traceable AI

2023 will be the year that many business leaders and security chiefs wake up to the scope of their API security issues.

Over the past three years, organizations have prioritized flexibility and growth over security, navigating extremely challenging business conditions. They've aggregated large data sets and deployed more cloud services to digitize business models, products, and services. The key to making all of this work: APIs. DevOps teams use internal APIs to connect data sources and business processes as they're developing and deploying applications and external APIs to connect with customers and partners. As a result, sensitive data, such as critical business information and consumers' contact, financial, and health information, increasingly passes over APIs.

Organizations typically lack the ability to automatically discover, inventory, validate, manage, and secure their API inventory, which is increasing every week. In addition, teams may be using operational frameworks that don't enforce standardization and governance, as their API holdings skyrocket. As a result, most organizations don't know the scope of the APIs they possess, and cyber-attackers are taking note. Hackers have identified APIs as the Achilles heel in organizations' cybersecurity posture and are using them to steal data, commit fraud, and create havoc in the marketplace, among other aims. More than half of all data thefts were traced to unsecured APIs as of 2020, according to Gartner - and the problem is only getting worse.

Here are some API security trends for 2023:

Trend #1: There will be a major API security breach that forces faster regulatory action

Gartner predicts that by 2025, less than 50 percent of enterprise APIs will be managed, as explosive growth outpaces API management capabilities.

Already, API security incidents are soaring, and regulators are taking notice. An adversary used LinkedIn's official API to scrape data on 90 percent of its users. A researcher used Venmo's public API to access data on millions of payments. The zero-day, Log4Shell vulnerability, reported in December 2021, is still being exploited. Other API security incidents have ensured Coinbase, John Deere, Experian, Peloton, SolarWinds, and more.

While regulatory action typically lags behind advanced technology development, API security is increasing the scope and severity of security breaches. We predict that a major API security incident that disrupts mission-critical services, such as in the financial or public infrastructure verticals, will occur in 2023, forcing faster regulatory action across all verticals.

Trend #2: Financial services will lead other verticals in addressing API security issues

Global regulators need to develop API-specific security regulations, rather than relying on data protection regulations such as HIPAA, GDPR, PCI, and others to govern these digital connections.

The good news is that financial services is poised to lead the race to greater regulatory oversight. Already, the Federal Financial Institutions Examination Council (FFIEC) members issued guidance governing securing authentication and access to financial institutions' services and systems, including APIs.

In 2023, we expect that these regulators will increase their expectations around financial institutions' API security. This heightened focus couldn't come too soon. With their motherlode of rich customer data and transactions, banks, fintech companies, insurance companies, and other financial institutions represent a favorite attack target for hackers. In addition, the industry must develop a scalable approach to API security if it is to move forward with open banking. Open banking, which provides third parties with access to financial transaction data, is completely powered by APIs.

Financial services have led other industries in terms of adopting risk and security frameworks and tools to protect data and systems. It will do the same with API security, setting a standard for other verticals to follow. 

Trend #3: Leaders will see APIs as representing both security and business risks

The need to protect business operations, customers, and data will be a key driver for organizations to implement API security platforms. Yet, leaders may want to take a broader look at the problem of managing APIs.

That's because the lack of control, security, and governance around APIs doesn't just increase risks, it is also operationally inefficient.

DevOps teams are constantly developing and deploying APIs to connect applications and processes. That means there is a huge number of zombie APIs, which are APIs that are abandoned, but not yet removed from corporate systems. The lack of synchronized, standardized processes also is increasing process redundancy across API groups. As a result, organizations are spending more on development processes and application maintenance then they need to.

Trend #4: Organizations will right-size data storage to reduce risks

One of the reasons that API security risks are so deadly is that organizations are collecting and storing too much data. While data storage used to be expensive, tumbling costs over the past decade have enabled organizations to collect petabytes of unstructured data, much of which isn't used. Like APIs, organizations have a shadow data problem, with unknown, unmanaged data stores abounding.

As they harden API security, business, IT, and data teams should also rationalize their data holdings. Business is transforming so fast that most historical data is of little use. Organizations predict operational performance in terms of days and weeks now, rather than years. Far better, then, to purge unnecessary data than to risk storing it in an unmanaged database - and having it exfiltrated over an unsecured API.

Trend #5: Enterprising CISOs will see API security as an opportunity to innovate

API security is a greenfield opportunity that leading CISOs will exploit to choose and implement the best frameworks, processes, and tools for their organizations. Those that move ahead proactively to implement solutions, such as platforms that enable automated AI discovery, cataloging, management, and real-time attack detection, will achieve significant improvements in security and risk mitigation.

They'll also integrate API security testing into preproduction processes, enabling developers to scan and remediate APIs before they are deployed. By doing so, they'll enable teams to use DevSecOps processes to develop and deploy applications at pace, without increasing their organizations' attack surface.

These CISOs will help their organizations outperform competitors who rely on unsecured API gateways or the limited capabilities of web application firewalls. They'll achieve this goal by enabling faster innovation, using connected processes to reap more value from customers, and sparing their organizations from disabling API security breaches.

Trend #6: Leading with API security will differentiate organizations in the marketplace

The future of business is connected, meaning that future API growth is likely limitless. So, the question is not whether organizations will secure APIs, but when and how.

Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements. After all, no organization wants to lose control over their business and customer data and precious intellectual property due to partners' poor API security practices - or be on the receiving end of a cybersecurity attack for the same reason.

Since third-party APIs will represent 30 percent of all APIs used to connect organizations' applications and data sources, leaders will think carefully about whom they want to do business with.

To lead with API security, commit to continuous learning

The API security industry is fast-transforming. There are myriad tools and platforms that CISOs and their teams can choose from, as well as lessons learned from lists of API security risks and retrospective analyses of breaches.

By learning more about API security and best practices, CISOs can lead to reducing these risks. They can implement effective governance, standardize and enforce processes, discover and control API holdings, and proactively remediate unsecured APIs before they are used in attacks.

APIs can unlock incredible business value for organizations - or remain a source of unmitigated risk that harms business momentum and revenues. That choice will become increasingly important in 2023.

##

ABOUT THE AUTHOR

RICHARD BIRD, CHIEF SECURITY OFFICER, TRACEABLE AI

Richard is a multi-time, c-level executive in both the corporate and start-up worlds, Richard is internationally recognized for his expert insights, work and views on cybersecurity, data privacy, digital consumer rights and next generation security topics. Richard delivers keynote presentations around the world and is a highly sought after speaker, particularly when he is translating cybersecurity and risk realities into business language and imperatives. He is a Senior Fellow with the CyberTheory Zero Trust Institute, a Forbes Tech council member and has been interviewed frequently by media outlets including the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News and TechRepublic.