API security and governance are top concerns for many technology leaders these days. And if they aren’t, they should be. Pervasive issues, like a lack of rate limiting, poor authorization and authentication, and minimal security awareness, can easily make APIs vulnerable to misuse.

At The Platform Summit 2024, several sessions will explore API security and tactics to mitigate pressing threats. Ahead of the conference, we’re syncing with a handful of key speakers to learn about their upcoming talks and the state of the industry.

At Platform Summit 2024, Antoine Carossio, co-founder and CTO of Escape, will share recent research on API risks and offer remediation advice.

In Stockholm, we’re very excited to welcome back Escape co-founders Antoine Carossio, CTO, and Tristan Kalos, CEO, two Nordic APIs alumni who were recently featured in Forbes’ Europe’s 30 under 30. At the event, they’ll share the results of recent research that analyzed one million domains and revealed over 18,000 exposed API tokens and RSA keys.

I recently caught up with Carossio about the state of API risks. According to Carossio, we need a more proactive and automated approach to avoid issues like secret exposure, business logic gaps, poor visibility, and more. Read his responses to my questions below, and be sure to register for The Platform Summit for a ton of practical API security insights!

What are some key API security issues you see in mid-2024?

To be honest, we still see many organizations struggling to build and maintain a comprehensive API inventory. They don’t even know what they need to secure, and it takes time to integrate API discovery into their roadmaps. Traditional traffic-based API security solutions are slow to deploy, leaving gaps in visibility and, hence, API security for months.

In GraphQL APIs, our latest research indicates that the most significant issue is API4:2023 Unrestricted Resource Consumption, as many GraphQL APIs lack proper rate limiting and resource allocation mechanisms. However, business logic vulnerabilities are even more challenging to detect and address, as they involve flaws in the application’s logic rather than straightforward technical issues, making them harder to identify and mitigate.

Escape recently published some damning research exposing 18k API tokens left open on the public web. Why do you think API secrets like keys and tokens are still routinely left open?

API secrets like keys and tokens are often left open due to human error, a lack of appropriate training, and insufficient testing. In our research, 35% of the exposed secrets were actually leaking into frontend code. Indeed, when developing with modern frameworks like Angular or React, developers have to “pack” multiple components together, sometimes including sensitive setup files. If you don’t train them on potential risks, they don’t have the reflexes to avoid these practices.

Security is frequently reactive, with many organizations only prioritizing it after an incident occurs. We hope our research highlights the importance of proactive measures and the need for tools that provide visibility into exposed secrets.

What are some best practices that organizations need to implement to prevent this from happening so often?

To prevent API secrets from being exposed, organizations should centralize the management of API keys and tokens to ensure they are stored securely, accessed appropriately, and rotated regularly. This helps monitor their use and spot vulnerabilities.

Scope tokens to specific teams or services so only the necessary people have access and establish a clear process for revoking tokens if they’re compromised. Make sure to grant only the permissions needed for each token to minimize potential damage, and limit their scope within the system. Keep an eye on usage patterns to detect any unusual activity.

It’s also crucial to educate your team about the importance of token security, possibly using gamification or a Security Champion Program to make the learning process engaging and effective. We’ve also covered this topic here.

When do you think implementing an automated API testing process is most crucial: within the testing and development stages or at runtime?

Implementing an automated API testing process is most crucial during the testing and development stages. Early detection and remediation of security issues can prevent vulnerabilities from reaching production, thereby reducing potential risks and costs associated with post-deployment fixes. Again, we do believe that security must be proactive, not reactive.

Do you see generative AI playing a role in mitigating some of these API security threats outlined above? Why or why not? If yes, is it safe to give it this power?

Yes, generative AI will play a significant role in mitigating API security threats. As businesses are pressured to ship revenue-driving features faster, automated solutions are essential for detecting API security threats at scale. API security solutions like Escape will continue to improve their genAI-based algorithms (ex., Escape AI), and solutions that can actually solve market problems will always stand out. While it is safe to leverage generative AI, it is crucial to have proper AI governance to ensure that these tools operate within established security and ethical guidelines.

Without giving away too many details, what can attendees expect from your upcoming talk at the Platform Summit 2024?

Attendees can expect to hear how we made the best investment of our life — turning $100 into the discovery of $20 million in exposed Stripe tokens. We’ll discuss the risks of exposed API tokens, share insights from our research that analyzed a million domains and found 18,000 exposed secrets, and explain our unique web scanning methods. Plus, we’ll reveal some of the sensitive data we uncovered and offer practical tips to help your organization avoid exposing secrets!

Are you excited for the Platform Summit? Why or why not?

Yes, I am very excited for the Platform Summit! It is a fantastic opportunity to share our latest research, connect with other industry leaders, and have insightful discussions :)