API Security Needs Are Growing Ever Larger
APIs are the most rapidly growing attack surface, but they still aren’t widely understood and can be overlooked by developers and application security managers.
- APIs are the Developer Tool of Choice and #1 Target for Malicious Use.
- Gartner states that by 2023, over 50% of B2B transactions will be performed through real-time APIs, versus traditional approaches*.
* Source: Gartner®, Survey Analysis: Enabling Cloud-Native DevSecOps, Dionisio Zumerle, 13 September 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Modern cloud-native apps typically employ a distributed architecture, services/microservices, and serverless functions. These components communicate with each other, end users, and APIs, creating the need to assess security at the component and system levels. At the component level, interservice communication can use a variety of protocols, ranging from HTTP to SOAP to gRPC. At the system level, an API gateway is typically used to consolidate individual service APIs into a unified business app API, based on HTTP (usually REST). In recent years however, there has been an increasing popularity in GraphQL, the Facebook-created language that was released to the community in 2015.
API testing and discovery is a multi-step process. The first step in securing APIs is to incorporate SAST into the DevSecOps pipeline for each independent component. Then, API security incorporates DAST scanning at both the component- and system-level APIs, where HTTP is utilized. The next step is attack-surface discovery, which means providing the endpoints and parameters that constitute the API attack surface (the “what”). In addition to the “what,” proper discovery also incorporates how the API is used (the “how”), which is important for the business logic workflows and sometimes complex authentication at the system level of the API gateway.