Public sector a prime target for API attacks

Three-quarters of government and public sector respondents have experienced an API security incident in the last 12 months

Posted 22 September 2022 by Christine Horton

The public sector is experiencing an increase in API (application programming interface) attacks as it continues to digitise more services.

A new report from Noname Security has found that three-quarters of UK and US government and public sector respondents have experienced an API security incident in the last 12 months.

CIOs, CISOs and senior cybersecurity professionals identified Web Application Firewall (WAF) (20 percent) as the leading method of attack, which was higher than the overall average of 17 percent. This was closely followed by DDoS attacks (18 percent) and API Gateways (17 percent).

Additionally, 78 percent of government and public sector respondents only have a partial view of their API inventory or they have a full inventory but no idea which APIs return sensitive data. This lack of visibility makes it impossible to adequately secure their API estate.

A greater attack surface

“As they look to digitise more of their processes and take more services online, [the public sector has] become heavily reliant on APIs to help enable this. But APIs also greatly expand the attack surface. As a result, API security has emerged as a key priority for the protection of critical citizen services and data,” noted the report.

It also pointed out several contributing factors to the public sector’s increasing reliance on APIs. “The need to deploy secure, public service-oriented applications is accelerating, but these applications need to match the exceptional usability experienced in the consumer space. They need to integrate with a growing ecosystem of partners in a secure way.”

Noname also pointed out that & public sector departments handle some of the most confidential personally identifiable information (PII) relating to homes, employment and healthcare. Half of respondents also said their API security platform helps them maintain compliance with GDPR.

“Interruptions in application performance and/or availability caused by malicious hackers are also a major problem; when someone’s financial support payment depends on it, for example, disruption can lead to immediate hardship.

However, the firm said a deliberate move away from the large outsourcing contracts of the past means there is a need for more in-house IT teams and development to be undertaken. Unfortunately this need arises in an environment where skills are rare and consequently in high demand.

“Due to this reality, IT teams are typically composed of contractors who are very experienced and used to working in teams, but who also have their own way of operating. They don’t always follow consistent processes and often take the knowledge away with them when their job is done. This can make building consistent API security discipline and processes difficult.

“These cumulative and sometimes competing pressures create a considerable conundrum for the public sector: how to rapidly deploy secure, high-functioning products that deliver future-proofed public services, with limited resources.”

APIs needed for innovation

Noname said to address these concerns, public sector organisations must shift API security testing earlier in the development process. This means API security and software testing that is traditionally done at a later stage of the operation are instead performed during earlier stages. The result of this is that vulnerabilities are fixed before production and this effectively shrinks the attack surface, reducing the risk of successful attacks in production.

“By nature, APIs expose application logic and sensitive data which is abundant in government and public sector organisations and, because of this, they have increasingly become a target for attackers. However, without secure APIs, rapid innovation would be impossible,” said the report.

“Building secure applications creates trust and confidence that these public-facing systems are able to protect the personal data of the citizens they serve, therefore API security will become even more important in the years to come.”