As seen on Economy Middle East.
Hackers are increasingly targeting companies via APIs
Mobile giant T-Mobile has recently suffered a data breach affecting 37 million accounts after a hacker abused an application programming interface (API). APIs serve as an integral part of businesses as they allow companies to integrate third-party software into their workflow. In fact, the UAE Government aims to adopt an API-first approach for its digital transformation initiatives.
Edward Roberts, VP Marketing at Neosec, an API security company tells us that according to some estimates API traffic accounts for over 80% of all traffic on the internet. “Because of this, APIs are major targets for attacks and the need for organizations to protect this vast and exponentially growing attack surface is essential,” suggests Roberts.
Alexandre Gaillard, CEO, InvestGlass, agrees, adding that as more and more organizations, private and public, are turning to APIs for their digital transformation initiatives, the need for robust security measures around these applications is becoming increasingly important.
Commenting on the increased use of APIs in the region, Gaillard specifically highlights the push for open banking. Calling it a “revolutionary concept,” he explains that open banking enables customers to take advantage of their data by giving third parties access to it through APIs.
“A sign of an important change of the region is clear as in March 2022, a network of ten banks now support Egypt’s move towards a digitized banking system,” explained Gaillard, adding that the Saudi Vision 2030 framework is clearly in favor of boosting the use of APIs.
“This open banking API solution is a new game changer in this industry. This means also that a new generation of managers will have to be educated to these APIs’ risks,” said Gaillard.
Richard Bird, Chief Security Officer at Traceable is of the opinion that APIs that are publicly exposed or are used to allow access by the public for government services must be both tightly controlled and constantly monitored.
“The US provides an important set of bad examples that the UAE must heed in their use of APIs for government services. Bad actors have stolen billions in government funds intended for citizens by capitalizing on a simple weakness,” warns Bird.
When it comes to security APIs, Konstantin Damotsev, a Dubai-based Penetration Tester for Group-IB believes API security requires a comprehensive approach, and that “it’s important [for companies] to have an understanding of the specific functionality provided by the API and implementing appropriate security measures to protect against potential attacks.”
Richard Gardner, CEO, Modulus Global pitches in to suggest that security teams should review the OWASP API Security Top 10 project, which provides a comprehensive analysis of API security risks, as well as guidance on how to mitigate them.
“Beyond that, it is critical that, before implementing any API, a complete security assessment is executed to identify potential vulnerabilities and risks,” advises Gardner, adding that “vulnerability and penetration testing should be done at the outset, as well as regularly throughout the course of API use.”