Listen to this story
A lot has transpired within a span of just a few months – that’s the speed of AI for you. From tech that seemed gimmicky at first, generative AI tools have made AI infrastructure more accessible. What seemed far-flung from mainstream society is now cheap, fast and easy to build for developers across the spectrum. Several startups have either cropped up or pivoted to building platforms anchored around these open-source and closed-source models from companies like OpenAI.
Rise in APIs
Important LLMs like OpenAI’s GPT-3 and other foundational models like Stable Diffusion have been made commercially available via API across applications. As the need for connected software increases, APIs have become ubiquitous.
APIs first came about in the early 2000s when companies like Salesforce, Amazon and eBay developed their own APIs for their developers to access. Up until a few years ago the usage of APIs escalated as the world became more digital. What we are witnessing now is another wave of AI applications, which will result in SaaS companies being focused around generative software, pushing the application of APIs over the edge.
By the second half of the 2010s, MIT research fellow Marshall Van Alstyne published work around business platforms and how companies that used APIs showed 12.7% more growth in their market capitalisation within a four-year time period as compared to companies that did not adopt APIs.
But as the possibilities grew, so did the threats related to API abuse. In 2019, Gartner predicted in a report that API hacks would eventually become the most commonly found type of cyberattacks by 2022. The prediction has unfortunately come true. Salt Security conducted a survey among 200 enterprise security officials and concluded that 91% of companies reported API-related security issues last year. The study stated that around 56% of organisations experienced between 10 and 55 attacks each month while 22% faced between 51 to 200 API-related attacks each month.
The report titled ‘Salt’s State of API Security Q1’ also mentioned that malicious API calls increased on a monthly per-customer basis from 2.73 million in December 2020 to 21.32 million in December 2021. API protection platform Salt has Web Application Firewalls that almost every API gateway was able to cross.
Need for API security
A more recent survey, by Radware, noted that organisations are now grappling with sustaining security across platforms. According to the survey 40% reported that more than half of their company was vulnerable to attacks through third-party APIs.
But an API is only as good as its security. The danger of these increasing number of attacks indicate that companies that see the value behind APIs must also see the value behind adopting API management platforms. The recent history of API attacks on enterprises attest to this.
In April, the Microsoft 365 Defender Threat Intelligence Team revealed that they had discovered a ‘low volume’ of attempts to hack its cloud services via Spring4Shell, an application framework for Java.
Last year, LinkedIn suffered from a data breach that exposed over 92% of user profiles including their full names, email addresses and passwords. Investigation showed that the hacker had breached LinkedIn’s database through their open authentication-free developer API and scraped through the LinkedIn database, which eventually landed up for sale on the dark web. The data breach questioned how endangered social media platforms were owing to a failure to check security of third-party vendors.
Mobile payment service Venmo exposed details of over 200 million subscribers via its API. The PayPal-owned payment application had made their data accessible because they offered a public API that was set as its default. This allowed hackers to download the data containing the names of senders, descriptions of the transaction memos and the transaction values.
HubSpot, another prominent CRM tool, reported a data breach in mid-March that affected more than 1.6 million users, emails and associated contact numbers of accounts of the company’s internal customer support portal. HubSpot later revealed that its internal systems had been compromised and a portion of its internal systems accessed. Moreover, a few customer accounts in the cryptocurrency industry, including NYDIG, Swan, and BlockFi, were tampered with by an insider.