Who Is Responsible for API Security?

20 January 2023

Introduction

Application Programming Interface (API) are software interfaces that allow apps to communicate. For example, you utilize an API every time you use Google or Twitter, send an instant message, or check the weather on your phone. A graphical user interface is not required for software to communicate. Instead, APIs are machine-readable interfaces that allow software products to share data and functionality easily.

Developer reliance on APIs increased over the past year amidst the global pandemic. A RapidAPI survey reveals that such reliance will continue to expand. Organizations of all sizes from a wide range of industries plan to join the API economy this year, and API testing and security were the top concerns among survey respondents.

APIs, like any other resource available on the internet, have vulnerabilities. Therefore, maintaining security is paramount because APIs can be accessed through the internet, including Uniform Resource Identifiers (URIs) with sensitive data attached.

API Risks

APIs give external parties access to your data by design. Each API includes an endpoint that responds to API requests.

There are flaws in every system. A weakness in a system (hardware or software) that an attacker could exploit is known as a vulnerability. An API endpoint is similar to a web server accessible over the internet. The higher the public’s free and open access to a resource, the greater the potential threat from abusers. APIs provide only minimal access control if any at all. The attack surface has grown as APIs have become a core part of modern app development. By contrast, many websites employ access control and require authorized users to log in.

An API attack occurs when an attacker uses an API maliciously or attempts to breach it. API attacks affect a variety of verticals and businesses. Dangerous threats are becoming more common and improving their targeting of specific web applications.

The increase of API-related security threats in recent years has prompted the Open Web Application Security Project (OWASP) to release the API Security Top 10, which helps raise awareness of the most serious API security issues affecting organizations.

Enforcement

As APIs become more central to modern business, the lack of clarity about who is responsible for API security puts organizations and users in danger. Although the risks are known, almost a third of APIs are approved without review by a company’s IT security team.

Who is responsible for safeguarding APIs? Some believe it is the developers’ job, while others think it is the API team’s responsibility. Unsurprisingly, the API teams blame the DevOps, and the DevOps throw the ball back to the IT department. Unfortunately, all this confusion leads to significant security gaps, which talented hackers are happy to exploit.

When so many teams handle API development, it is hard to assign responsibility for the API security. Each organization has its own structure and method of distributing responsibility, which is often poorly planned and misunderstood. API security vulnerabilities will continue to be exploited by abusers until a defined ownership structure is in place. However, as APIs evolve and become more widely used, security vulnerabilities will only increase.

Moreover, since APIs operate in a constant cycle of creation and updates, iterative feedback loops between development, testing, and production stages connect security and development teams and enable a model of continuous improvement for security.

What You Can Do

Modern software is vulnerable to a wide range of threats. Keeping up with the newest exploits and security issues is a smart but challenging practice. Having benchmarks for such issues helps ensure application security before an attack occurs.

Because APIs create so many entry points across a network’s architecture, putting a firewall in front of a server is no longer enough to protect all entry points. In addition, a traditional WAF-based solution cannot distinguish malicious and legitimate API calls.

The only way to fully secure your APIs is to protect and cover all APIs throughout the entire API software development lifecycle because multiple teams develop APIs. As a result, some vulnerabilities can only be identified at the code level in development. Some can be caught by testing with smart simulations. Others can only be discovered by monitoring APIs in real-time in production, setting a baseline of expected behavior, and detecting anomalies.

Wib ensures that your organization establishes a continuous improvement and efficiency model for API security. It provides complete visibility and insights for identifying, prioritizing and eliminating vulnerabilities, preventing recurring errors and keeping your user’s data safe throughout your product development lifecycle.

July 26th, 2023

High-Definition API Risk Ranking

Enhancing OWASP’s Methodologies for Comprehensive API Security Zooming in on a closer, crisper picture […]

> Read the blog post

June 1st, 2023

The New OWASP API Top 10 2023: A Wib Perspective

The Open Web Application Security Project (OWASP) is a non-profit organization committed to improving […]

> Read the blog post

June 1st, 2023

API Adoption: Go Faster, Go Safer! Don’t let API security hold you back

Overcoming security challenges across the API lifecycle Security sometimes feels like an afterthought for […]

> Read the blog post

April 17th, 2023

WTF are Shadow & Zombie APIs?

As more companies adopt microservice architectures, APIs (application programming interfaces) have become crucial for […]

> Read the blog post

View more blogs

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (which increments with each pageview in a session), and session start timestamp.
__hssrc	session	HubSpot cookie sets this cookie to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to store the user consent.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to track the beginning of the user's journey for a total session count. It does not contain any identifiable information.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether that visitor is included in the data sampling defined by your site's pageview limit.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	1 year 1 month 4 days	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjRecordingEnabled	never	Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivity	never	Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
_hjIncludedInSessionSample_3388746	2 minutes	No description
_hjSession_3388746	30 minutes	No description
_hjSessionUser_3388746	1 year	No description
incap_ses_1177_2167377	session	No description
incap_ses_456_2167377	session	Description is currently not available.
referrerd7_003	1 month	No description
visid_incap_2167377	1 year	No description

Introduction

API Risks

Enforcement

What You Can Do

Just dropped…!