When we picture the scene of a truly phenomenal heist, we might think of a film like Ocean’s Eleven, with everything meticulously planned, practiced and executed flawlessly for a big payday. This certainly makes for an exciting action movie, but the reality of most criminal enterprises is following the path of least risk and resistance, and in the world of cybercrime, lax API security creates the perfect window of opportunity, often with a low barrier to entry.

This has been the case for years, and the problem is spiraling out of control. APIs are clever little snippets of code that provide seamless communication between applications, and according to research from Noname Security, enterprises run an average of 15,564 APIs within their organization. That’s far too many to track without a plan, and the general lack of ownership surrounding API security has created the ultimate white elephant.

Let’s Explore Why

Poor authentication hygiene, poor coding patterns and poor security outcomes.

Some of the worst data breaches on record have been made possible through weak API access control. Back in 2018, Aadhaar, the world’s largest ID database, suffered a catastrophic breach thanks to the lax API security controls of a third-party site, exposing the sensitive information of more than 1.1 billion Indian citizens.

Despite more than five years since that incident, we continue to see countless large enterprises tripped up by the same problems with similarly devastating outcomes. Even giants like LinkedIn and T-Mobile are recent victims of API security vulnerabilities being exploited by bad actors. It is clear that no matter the resources at an organization’s disposal to move at the speed of digital innovation and demand, in general, the “secret sauce” to address common vulnerabilities remains conspicuously absent.

For me, the driving concern is the perpetual use of poor coding patterns and the general lack of security awareness—especially around API access control and authentication—that seems to plague development cohorts all over the world. And it’s not their fault: We must be committed to their continual upskilling in security best practices, as it relates to their everyday work, and give them the time and tools to improve their code quality. Too often, security is pushed aside, and developers are not brought on the journey to play a role in solving the issues that they have control over, but they can be easy scapegoats when stretched, overworked security teams are looking for the weakest link. It seems 2023 is the year we stop passing the buck and start sharing responsibility with clear expectations and enablement, especially among those with the hands in code-level tasks.

Who is Holding the API Hot Potato in Your Organization?

A recent study from Traceable revealed some alarming insights into how API security is managed within many organizations. Some 40% of organizations do not have a dedicated API security professional or team, and the perception of who ultimately owns API security varies wildly. In fact, 38% of respondents insist the CISO owns it, while 25% claim development and/or DevOps is responsible. Worryingly, 24% of respondents don’t know who or what department should manage API security matters day-to-day.

If ownership and responsibility for API security are hazy, or it’s a hot potato that gets tossed between security personnel and developers, it’s time to draw a line in the sand and establish key roles and responsibilities.

In my opinion, it can and should be a developer-owned issue, but do not leave them in the dark and expect them to find their way. Precision, relevant learning pathways should be made available, and those who step up should be compensated for their increased value as security-skilled developers.

Privilege Escalation is the Ultimate Goal

We have known for a long time that API access control exploits often turn into potent privilege escalation attacks, and this outcome is highly desired by the threat actor.

Put simply, the way in which we currently handle API security makes this potentially devastating incident easier than many other attack vectors, with the promise of a seriously valuable payoff. We shouldn’t be making it so easy, and one of the most straightforward solutions is to fix longstanding ownership issues for good by making it second nature for developers to tackle API security issues. Yes, it requires extra time, training and responsibility, but the pros far outweigh the cons and improve the security posture of any organization.

What are you waiting for?