What is the Best Immunity from API Attacks?

Posted on by RSAC Editorial Team


This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on Achilles’ Heels surrounding API attacks.

Salesforce is cited with launching the first modern API back in 2000. Since then, the number of public and private APIs have grown to over 200 million. APIs have become a staple on every developer’s menu to accelerate the development process and lower costs by connecting different platforms, applications, and systems to consume and share information. As much as developers have come to rely on APIs, attackers have come to exploit them.

Rupesh Chokshi, SVP & GM, Application Security at Akamai, in the session Spotlight on Latest Web Application and API Attack Data, shared just how vulnerable APIs are to attack. Chokshi asserted, “it is astonishing to see the amount of adversary focus in this space.” The session covered the key highlights of Akamai’s State of the Internet Report which noted 2022 was another year of record attacks, with 161 million attacks happening in a single 24-hour period between October 8 – 9. Chokshi continued, “we say it’s a record year every year. It’s not slowing down because the pace of digitalization is not slowing down.”

Chokshi also pointed out that the inclusion of API attacks in the 2023 OWASP Top 10 list of web application threats, as well as the separate API Top 10 list, shows the distinct nature of API threats and how much more pronounced the problem continues to be.

Brian Vecci, Field CTO at Varonis, flipped the script in his session, Hacking the Cloud: Play-by-Play Attack on GitHub, Okta and Salesforce, by showing just how easy it is for attackers to use off the shelf security tools and API calls to exploit vulnerabilities. In minutes, Vecci was able to show through live demonstrations how an attacker can assign Super Admin privileges to a backdoor user and exfiltrate data from sensitive systems.

Behavioral analytics is one of the approaches being used to identify attacks and improve API security.  Analyzing the behavioral patterns of API calls made to a system, such as the frequency, source, and timing of requests, can be used to create a baseline of normal behavior. Any API call that falls outside the range of what is considered normal can be suggestive of an attack. Behavioral analytics can also be used to identify threats by looking at the data being transmitted through the API, such as large amounts of data being sent at unusual times.

Behavioral analytics isn’t just useful for identifying threats to application APIs. Endpoint APIs are also vulnerable to a range of security threats. Matt Benyo and Jaron Bradley of Jamf, in the session MacOS Behavioral Detections Using Apple Endpoint Security API, discussed how they have found success using the Apple framework monitoring for applications behaving in ways they shouldn’t be. Behavioral detection has been around for a while as Benyo noted, “they have increased in value as security experts have created a better baseline of what normal activity looks like versus anomalous activity.”  The downside, Benyo stated, is that behavioral detection can lead to a higher false positive ratio. “This makes sense because you are looking at a broader pattern of activity versus something very objective like a file hash or a set of strings that appear in a file.”

Nearly everything in the digital world is connected together by an API thus no business or industry is immune from attack. In fact, Akamai estimates that over 80% of web traffic is a result of API calls. Attackers will always go for the path of least resistance so making it harder for them to exploit the organization is the best defense. This sentiment was echoed by Chokshi, who closed with three practical tips for the best immunity against API attacks: mitigate new or zero-day vulnerabilities before a crisis, practice secure code development, and integrate and automate security controls to match the speed of attacks.

RSAC Editorial Team

Editorial, RSA Conference

RSAC Insights Technology Infrastructure & Operations

Application Security Testing vulnerability assessment risk & vulnerability assessment application security web application firewall

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs