Akamai Technologies has made available at no extra cost a connector that makes it simpler for cybersecurity teams to discover application programming interfaces (APIs) that organizations have exposed via its content delivery network (CDN).
Stas Neyman, security strategist at Akamai, said a connector enables organizations that employ the Akamai Connected Cloud to route API traffic to its API Security platform.
Every single modern application today relies on APIs and yet the security of these APIs is often overlooked, said Neyman. The connector being provided by Akamai is intended to make it simpler for organizations using the Akamai CDN to secure them, he added.
Unfortunately, cybersecurity teams often assume the application development teams that created those APIs are responsible for securing them. Conversely, application development teams assume that cybersecurity teams protect APIs using, for example, a web application firewall (WAF).
Cybercriminals, however, have become adept at finding ways to manipulate the business logic exposed via APIs to either exfiltrate data or compromise a workflow, noted Neyman.
Akamai is already being used by more than 100 Akamai customers, who are analyzing more than 300,000 APIs that generate over half a trillion monthly requests. Making the connector available for free to Akamai CDN customers will encourage more organizations to secure APIs in a way that helps reduce the total cost of cybersecurity, noted Neyman.
Of course, it’s not possible to secure what cybersecurity teams are unaware exist. Many cybersecurity teams, unfortunately, don’t tend to have much visibility into how these APIs are being created and deployed. As a result, all these APIs are, in effect, unsecured endpoints. Fortunately, the bulk of these APIs are internally facing, so the immediate crux of the issue is the security of the APIs that are externally accessible, many of which are deployed on CDNs.
Cybersecurity teams, however, should not overlook the security of internally facing APIs. It doesn’t take much for development teams to make an internal API accessible to external users, so what may seem secure enough today can tomorrow become a very big issue when some business unit decides to, for whatever reason, make an existing API accessible to some entity outside the company.
Theoretically, application development teams are assuming more responsibility for API security as part of the general shift left of responsibility for application security via the adoption of DevSecOps best practices. The challenge is organizations are now routinely deploying thousands of APIs, which means the probability of a security incident involving APIs is all but certain. Organizations can reduce the scope of those threats by creating a center of excellence for API security that includes both application developers and cybersecurity professionals, noted Neyman.
Regardless of approach, APIs present a rich target to cybercriminals that often now routinely scan for misconfigured APIs or so-called Zombie APIs that are no longer maintained or protected by the application development team that initially deployed them. Once those APIs are discovered, it might take months for cybersecurity teams to unravel the havoc those cybercriminals have been able to wreak.
Recent Articles By Author