API-First Strategies Require API-First Security

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

API security concept; Arrows pointing to a Post It with API Security written on it

Editor’s note: This post was originally published in July 2021 in ToolBox.

Back in 2017, Gartner predicted that API abuse would be the most frequent attack vector for data breaches by 2022. Two years later, when exposed APIs already made up 40% of the attack surface for web-enabled applications, the research and advisory company estimated that figure to soar to 90% by 2021. 

And based on a Q1 2021 State of API Security study from API security company Salt Security, it does look like we’ll simply hurtle past all those predicted milestones.  

Here’s the low-down on the key findings of the study, compiled from survey data from security, application, and DevOps professionals and anonymized, aggregated data from the firm’s API security platform. 

Of the survey respondents, 91% suffered an API security incident over the previous 12 months. Over the same period, the platform data showed that not a single customer experienced zero attacks (though every attack was foiled), with more than half being subject to an average of 10 to 50 attacks per month. 

API traffic has been growing exponentially over the years. For instance, Google Cloud’s Apigee API Platform registered 2.21 trillion calls last year, an annual increase of nearly 50% that parallels growth in API call volumes on the Salt platform.

Applications Powered by APIs bar graph from Apigee reportSource Apigee State of API Economy 2021 Report

APIs are also being deployed for a wide array of applications. According to a 2021 State of the API Economy research, larger companies use APIs more often to power mobile applications and more mature users are widely adopting API-powered application development for automation and IoT. 

Most companies have shifted to an API-first strategy to power digital transformation, accelerate innovation and build digital ecosystems that enhance productivity and value. However, the API attacks, breaches and abuse just keep getting bigger and more frequent. In just the past couple of months, there have been reports of an unsecured API at consumer credit bureau Experian leaking the credit scores of tens of millions of Americans, fitness brand Peloton’s leaky API exposing private account data and invite-only chat app Clubhouse essentially becoming…