Watch out for More Regulatory Focus on API Security in 2024 Posted in Security Ross Moore December 13, 2023 Regulatory and compliance requirements are changing rapidly in the tech world, bringing new expectations for software providers. For years, people have wondered how GDPR would turn out. And over the last few years, lawsuits have taken place that provide precedents for future cases. Just consider the state of new compliance requirements. For example, PCI-DSS has grown to version 4 (3.2.1 is expected to be retired in Q1 2024) and adds enhanced requirements such as stronger passwords and continuous monitoring and alerting of public-facing web applications. On January 1, 2023, the CCPA (California Consumer Privacy Act) was amended and expanded by the CPRA (California Privacy Rights Act) to add new privacy protections. Also, on July 26, 2023, the US Securities and Exchange Commission adopted rules that require registrants to disclose cybersecurity incidents within four days after the determination that the breach would materially affect investors. In addition to regulation, there is a growing financial incentive to protect data. Already in 2023, the global average cost of a data breach is $4.45 million. All across the board, what has previously been nice-to-have or self-attested in the security and compliance space is quickly becoming required, either by regulation or customer contract. APIs Become A C-Suite Concern In the middle of all this is the humble application programming interface (API), whose growing reliance has brought newfound security concerns. In a recent survey, “48% of survey respondents say that API security has become a C-level discussion over the past year.” While a view of APIs is usually focused on web applications, it also includes mobile apps. Yet, mobile API security is typically insufficient. For instance, Carnegie Mellon University’s CERT Coordination Center found that “The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.” API security is also becoming more relevant in the context of Internet of Things (IoT) devices. Legal and cybersecurity authorities of multiple countries have developed the “first-of-its-kind joint guidance,” urging manufacturers to ship secure products, both by design and by default. APIs Are Everywhere An API works similarly to a restaurant waiter. The waiter acts as a mediator between customers and the kitchen staff, shielding diners from the complexities of the kitchen and providing a seamless experience. Even willing to accommodate special requests, the waiter caters to each customer’s unique tastes, offering a personalized dining journey (this seems rather flowery and grandiose, especially considering what some might call “greasy spoon” restaurants, but the idea is the same). A major aspect of making a restaurant move as smoothly as possible is the use of protocols or procedures for running the business. Moving back to the world of computing technology, protocols are sets of rules and conventions that define how data is transmitted, received, and processed between different devices or systems. These rules ensure that communication between entities (e.g., APIs) is standardized, efficient, and reliable. These policies establish guidelines for data formatting, error handling, authentication, and allow seamless interaction between devices and applications. With the rising cost of breaches, the increase in application compromises (many of them caused by API weaknesses), the rise in the use of APIs, the upsurge in regulations, amplified cyber insurance requirements, and the demand by customers to include personalized contractual addenda, we can expect at least a demand for the following API security protocols in 2024. Some have been around for some time, but they will likely be requirements rather than suggestions. Important API Security Focuses Proper API Authentication and Authorization API security best practices emphasize the importance of implementing proper authentication and authorization mechanisms for APIs. This includes using secure authentication methods, such as OAuth 2.0, and implementing strong authorization controls to ensure that only authorized users or applications can access the API. Zero Trust for APIs Zero trust is a security framework that assumes no trust, even for internal networks and systems. Zero trust principles are expected to be applied to API security, requiring authentication and authorization for every API request, regardless of the source. API Discovery and Monitoring API discovery and monitoring tools are becoming increasingly crucial for API security. These tools help identify and track API endpoints, monitor API traffic, and detect any suspicious or malicious activity. Transport Layer Security (TLS) Transport Layer Security (TLS) is a cryptographic protocol to secure network communications. In the coming year, TLS is expected to continue being a crucial security measure for encrypting API communications and protecting data in transit. OWASP Top 10 API Security Risks The Open Web Application Security Project (OWASP) regularly updates its list of the top 10 API security risks. The 2023 edition of the OWASP Top 10 API Security Risks includes risks such as broken authentication, broken object-level authorization, security misconfiguration, and unsafe consumption of APIs. Increased Focus on API Security With the rise in API-based connections, API security is a top concern for organizations. The increasing number of API attacks in recent years has highlighted the need for robust security measures to protect APIs and the data they handle. Change Control (Decommissioning, Updating, Upgrading) Out-of-date, orphaned, shadow, and zombie APIs are detrimental to an organization’s security. Improperly managed APIs mean forgotten APIs. And forgotten APIs mean security risks (read “breach potential”). API Documentation Proper documentation drives API security because it provides a single source of truth, a known repository, and gives new developers a running start for API continuity. Proper documentation is necessary for succession planning, streamlining development, and keeping the standards consistent. Customers and other users will greatly benefit from either having the documentation readily available or knowing that it’s being used. Regularly Review and Test Security Regularly review and test the security of API authentication mechanisms. Conduct security audits, vulnerability assessments, and penetration testing to identify and address any vulnerabilities or weaknesses. Moving Ahead We all have data that needs to be protected, data that, if stolen, would cause significant issues — banking, insurance, and healthcare data, to name a few types. So, what can be done to make headway? Well, it may be helpful for data defenders to roleplay being hacked to better determine what they need to do to protect. What measures would you like to see those companies in charge of protecting your data use to protect your information? Make your list and tackle the next item.