Application programming interfaces, or APIs, have become an integral part of maintaining an online business, and are often indispensable for cross-functionality and user experience.
However, the increased use of APIs has led to a rise in attacks against them. This can in turn cause breaches of company data or even full account takeovers. Improperly-managed APIs are a key attack surface and firms would do well to treat this seriously as threat actors step up their efforts at exploitation.
In this episode, Rory and Jane are joined by Yaniv Balmas, VP of security research at Salt Security, to discuss the risks that come with using APIs and how to mitigate against them.
Highlights
“When you're speaking a different language than the service is expecting to hear, there could be one of many, many, many issues that will follow starting from very simple things like, you know, simple error page or server crash or something like that. And ranging up into, you know, information disclosure, full account takeovers, and stuff like that.”
“As time passes, yeah, more attackers join this API attacking club, and that's why we see this increase. And if you're asking my predictions on the future I don't see that stopping or, you know, start being in lower volumes. Quite the opposite.”
“If it's a third party tool that you're using, then you need to test it to make sure that, you know, it complies with everything and that it stops everything, all the relevant API attacks. And then finally, once you've deployed your solution, that's not enough because this world is constant, it's dynamic. It's constantly changing. There are always new attacks, every day you hear about new techniques and a new attack.”
Read the full transcript here.
Footnotes
- 90% of businesses experienced API security vulnerabilities in 2020
- Research: Luxury cars and emergency services vehicles vulnerable to remote takeover
- Hyundai vulnerability allowed remote hacking of locks, engine
- 4 Things to Know about Your Car and API Security
- The API economy: What your business needs to know
- T-Mobile customers at heightened risk of phishing attacks in wake of data breach
- Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts
- Could APIs be your business' secret weapon?
Subscribe
