When it comes to protecting your attack surface, there’s hardly anything more challenging than APIs. After all, APIs are your way of granting public access to data you’re responsible for protecting. And if you’re going to have a public-facing door to your data, you’d better protect that door pretty well.
Of course, hackers are well aware of that public-facing door. So, it should come as no surprise that API attacks are on the rise.
API attacks are on the rise
According to The Hacker News, “hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. In 2022 alone, 76% of cybersecurity professionals admitted to experiencing an API security related incident. If that wasn’t attention-grabbing enough, US businesses incurred upwards of $23 billion in losses from API-related breaches during the same time period.”
Just the attention they get from attackers makes APIs challenging enough to protect. But there are other reasons too.
What makes protecting APIs so challenging?
It’s one thing for hackers to take the time to manually probe an API for weaknesses. It’s quite another to unleash technology to multiply their efforts. That’s what those tasked with protecting APIs now face: automated API attacks.
From Help Net Security, “As attack automation becomes an increasingly prevalent threat against APIs, it’s critical that organizations have the tools, knowledge and expertise to defend against them in real time.”
Automating attacks against APIs has become so prevalent, that OWASP has added a new API threat category (AP18): lack of protection from automated threats.
The bottom line? “The API threat landscape is constantly evolving, and organizations must be vigilant in protecting their APIs and web applications from automated threats (bots) and vulnerability exploits. Attackers are getting more creative and specific in their tactics, and traditional protection techniques are no longer enough.”
So, what’s the answer? Well one of them is threat modeling.
Threat modeling for APIs
At its very simplest, threat modeling is just a discipline for acknowledging, identifying, and mitigating threats. That’s true even when those threats are automated. So, from a threat modeling discipline standpoint, the fact that most API attacks are now automated doesn’t change the approach.
When you look at industry-wide best practices for securing APIs, you tend to see the same things over and over. One of the practices you see frequently is to assess your API risks:
Another important API security best practice is to perform a risk assessment for all APIs in your existing registry. Establish measures to ensure they meet security policies and are not vulnerable to known risks. A risk assessment should identify all systems and data affected if an API should be compromised, and then outline a treatment plan and the controls required to reduce any risks to an acceptable level.
If that sounds a lot like threat modeling that’s because it is. In essence, threat modeling your API is an industry best practice for protecting it.
What’s the best way to counteract automated API attacks? With automated threat modeling, like that available from ThreatModeler.