APIs (Application Programming Interfaces) are a key part of digital transformation strategies, and securing those APIs is a top challenge. APIs are a rapidly growing attack surface that isn't widely understood and can be overlooked by developers and application security managers.
Let’s let OWASP API Security Project take this: “APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”
Again, from OWASP:
API Security focuses on strategies to mitigate the unique security risks of APIs. Traditional vulnerabilities are less common in API-based apps:
API security is important because businesses use APIs to connect services and to transfer data, so a hacked API can lead to a data breach. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface.
According to Forrester, from December 2020 to June 2021, the percentage of API traffic that was malicious grew 85%. In December 2021, Cloudflare reported that API calls accounted for 54% of total requests and increased 21% from February to December 2021. Attackers have taken notice and increased their focus on APIs.
API security testing is part of the core capabilities in the Gartner MQ for Application Security Testing.
APIs have become an essential part of modern applications (e.g., single-page or mobile applications), but traditional AST toolsets may not fully test them, leading to the requirement for specialized tools and capabilities. The ability to discover APIs in both development and production environments and test API source code, as well as the ability to ingest recorded traffic or API definitions to support the testing of a running API, are typical functions.
Watch these demos on our Fortify Unplugged YouTube channel