API Attacks and How Developers Can Prevent Them

rakhirhif8963 · Post by **rakhirhif8963** » Sun Feb 09, 2025 5:57 am

Hackers go where the money is, and they are now finding a rich source of information to steal from application programming interfaces (APIs), says Jonathan Kare, a renowned cybersecurity expert, formerly a senior research director at Gartner and now an adviser to consultancy Lionfish Tech Advisors. The New Stack quotes him on how developers can prevent attackers from attacking APIs.

“Why should API security be your focus? Because 80% of internet traffic goes through APIs,” Kare explains. “And of course, if that traffic goes up, then the bad guys will follow. It makes sense: as [legendary bank robber] Willie Sutton said , ‘I attack banks because that’s where the money is.’”

Exploit kits are inexpensive, he says, with one kit available for rent for about $1,400 a month. Mixing exploits is a common tactic for an attacker to gain access to a sensitive server, steal data, and then download ransomware, he adds.

“Attackers build an economic model around this, estimating the cost of an attack and the expected profit, whether it’s data theft, fraud, or downloading ransomware,” says Kare. “And all of that is possible with API exploits.”

Moving to API-centric security
Despite this reality, organizations focus on norway mobile database infrastructure and attacking end-user web applications, leaving APIs vulnerable, laments Kare. The defense model has traditionally been a castle with a moat, but that metaphor needs to be updated, he says.

“We’re not protecting a castle, we’re protecting a marketplace, which means we have to protect multiple points, not just one entry point, because of course people are going to come from all over, agents are going to come from all over and try to do business in the marketplace using the APIs that we provide,” says Care.

The increased speed of development and the shift to microservices have increased the need to secure APIs, he says. He advises organizations to start an “active, continuous, iterative discovery and inventory process” that maps out applications and keeps an updated list of APIs. After all, unmanaged APIs are the ones that pose the greatest risk.