More than two-thirds (77 percent) of government and public sector departments experienced an API (Application Programming Interface) attack last year.
Additionally, 89 percent of public sector organisations say API security is more of a priority now than it was 12 months ago, according to the Noname Security research.
“API attacks are a different animal than the types of attacks that folks have been used to in the past,” explained Noname chief marketing officer, Michael O’Malley.
“APIs have really become mission critical. They’re the building blocks of modern applications and because these are increasing, they’re also very scattered across the estate, both in public and private sectors.
“Our public and private sectors often have federated approaches to it. So, they’ll use many different types of API providers.
“And the third element in this recipe is that they’re not explicitly complex to create a vulnerability and can be easily misconfigured or relatively easily exploited. So, the combination of a mission criticality, the ubiquity and ease of exploit makes it quite an attractive target for attackers.”
If you liked this content…
New set of challenges
O’Malley said there has also been a level of misplaced confidence in existing cybersecurity tools and approaches.
“The tools that have been used to protect applications like web application firewalls or gateways were designed for a specific purpose and the stakes have changed and they’re not as applicable,” he said. “So, this year, we’re finding more and more officials arriving at the conclusion that they have a new set of challenges.
“They want the largest return for the minimum the least effort and that’s what makes APIs such an attractive vector. And in both public and private organisations have a good bit to lose – especially when … the sensitive data is involved.”
Advice to organisations
O’Malley advised organisations to take a full inventory of all of their APIs and understand what’s in their estate, as a starting point.
“You can’t manage what you can’t see. When we talk to customers, they’ll say that they have a certain number of APIs and we find it significantly more that the customers realise when we apply a discovery process through our platform,” he said.
Additionally, once they have an inventory, organisations should undertake posture management to uncover vulnerabilities and misconfigurations and create a priority list, using the OWASP Top 10 as a guide.
