APIs and their Security Risks in an Enterprise
Name
Institutional Affiliation
Executive Summary
With the proliferation of the use of API systems, many enterprises have built their businesses heavily depending on the technology. Nonetheless, API security would become one of the main issues that these companies have to deal; with constantly. Since the technology is beneficial, companies such as google and Alibaba have implemented distinct security measures to ensure that the APIs are utilized adequately to not put the information within systems at risk. Furthermore, three top companies, Data Theorem, Salt Security and NoName Security have developed distinct API security platforms that other enterprises can adopt to improve the security of their API spaces. This research is a discussion of the security risks affiliated with APIs and also what the different companies have developed to handle the matter.

Introduction
There has been an explosive growth in the use of Application Programming Interfaces (APIs) in enterprises as many of them embark on digital transformation. Nonetheless, the downside attached to these APIs is that they pose serious IT security risks. This is because they expose many avenues to the malicious attackers to attempt accessing the enterprise’s information. Therefore, to bridge the gap on the security risks and protect their information, enterprises are required to treat APIs with similar protection levels awarded to other web applications critical for the business.
Risks Affiliated with Unmanaged and Unknown APIs
Security risks affiliated with APIs exist because they expose the underlying implementation of a mobile application and a cl;ient application is required to maintain and monitor the user’s state among other parameters sent to every HTTP request (Yalon, 2020). There are both unique and general security issues surrounding APIs. Nonetheless, for the most part, the issues will bring up vulnerabilities that bring up concerns grouped into three categories: exposure of sensitive information, interception of communications and the launch of Denial of Service (DoS) attacks against the back-end servers (Yalon, 2020).
One of the risks is the broken object level authorization whereby the APIs will tend to expose endpoints dealing with object identifiers. This creates an issue relating to a broad attack surface level that compromises access control mechanisms. Another risk is the broken user authentication such that authentication mechanisms get implemented wrongly. This allows the hackers to compromise the authentication tokens or take advantage of any implementation flaws which could allow them to assume the identities of users whether temporarily or permanently. The API’s security is compromised in entirety when the system’s ability to identify the client or user.
Other security risks arise from security misconfiguration which commonly arises from the unsecure default configurations,m or those that are incomplete or ad-hoc. The misconfigurations could also be the result of open cloud storage, HTTP headers that are misconfigured or permissive cross-origin resource sharing. These mishaps could lead to the exposure of sensitive information to the hackers. Improper asset management since the APIs have a tendency of exposing more endpoints compared to the conventional web applications. To this effect, proper and updated documentation is extremely necessary together with having the right host and ensuring that the APIs versions inventory deployed are the proper ones. This will mitigate the security risks that could arise from having a deprecated API version and any debug endpoints that are exposed.
Measures taken by Forbes Big Companies In relation to API Security
Alibaba is one of the Forbes Company that is using APIs systems. The security measures it has implemented includes having multiple data encryption methods to achieve end to end data security. Data encryption is one of the common data security methods that could be done at the source, intermediate device or at the channels of transmission. For instance, Alibaba Cloud Object Storage Service (OSS) has provided the read many features that allows users to avoid any tampering with the information or have it deleted when on the cloud (APIS, n.d.). The data encryption feature provides support to both the client and server side . the OSS could use key hosting services and the user-defined key methods for the encryption purposes hence improving data security and compliance.
Google API services are a set of tools which third party applications for accessing Google services and information. The company focuses on having the users use the APIs for incorporating Google’s information into their own services. To ensure that processes and operations happening within are done securely, some of the measures they incorporate include the constant monitoring of the systems from protection from malware (Google.com, 2021). The applications are regularly monitored and patches are deployed via automated network analysis and proprietary technology. The active scanning done is to find any vulnerabilities through a combination of commercially available and in-house tools for those purposes specifically. Intensive manual and automated penetration testing, quality assurance process and incorporation of external audits also aid in identifying vulnerabilities (Google.com, 2021). Google has indicated that their security and privacy developers design their systems, review their codes and other products are designed with security in mind hence will have strong security protections.
Data Theorem, Salt Security and NoName Security Company Capabilities in API Discovery
Data Theorem has been using the DevOps Approach in handling their API security matters as they originally focussed on the API Security for its mobile applications. However, recently, the company has built its capabilities for securing serverless APIs (Hall, 2020). The company focuses on preventing data breaches at the application level such that the systems have the protection and guard rails that will allow faster building. Security automation has been added without having the systems burdened or their progress slowed down. Through the proprietary analyzer engine, Data Theorem has a seamless SaaS Offering with various services such as App Secure, App Search, API Inspect, API Discover and Brand Protect. App Secure ensures the continuous scanning and monitoring of vulnerabilities and any data privacy issues within the iOS and Android applications. API Discover is the automated continuous discovery service that seeks new APIs, any changes that have happened to known APIs and the related cloud services to the public cloud surroundings (Hall, 2020). Also, the company has unveiled the automated discovery and continuous dynamic vulnerability inspection tool for handling the web single-page applications (SPAs). The tool offers support to GraphQL and REST API Services as the component ti API Discover and API Inspect.
For Salt Security Company, it developed the Salt Security API Protection Platform that empowers enterprises to detect and stop the hackers at the reconnaissance phase that is prior to them escalating their successful hacks against the critical business applications and data (Salt Security, 2019). The platform is the only one that provides the industry with real-time protection against logic-based attacks. It uses Artificial Intelligence and granular knowledge for each distinct API to establish typical behavior as its arson seeks malicious behaviors. Companies are hence empowered to identify the attacks prior to their advancement stages. The conventional security solutions failed to detect the latest attacks but the application of artificial intelligence and big data technology, attacks are promptly identified and responded to. The platform works in three stages of discovery, prevention and remediation (Salt Security, 2019).. The discovery phase is about automatically discovering all the APIs and distinct functionality across environments bua automated, continuous monitoring and ensuring security teams know when sensitive information is exposed. Behavioral monitoring and present vulnerability insights aiss the platform to prevent attacks on APIs in real time. On the remediation stage, the platform avails prioritized and actionable insights that aid in stopping attacks immediately and close the vulnerabilities at the source in the APIs for better security.
NoName Company is another company that has also focussed on API Security through an agentless security platform giving enterprises an entire view of the activities and threats happening in the environment (Palo Alto, 2020). It contains no friction on deployment and will integrate the present IT infrastructure and provide business visibility,, security and control for any API. this is regardless of whether the corporate API gateways are on or off. The enterprises are able to get productivity benefits of using the APIs without a compromise to security (Palo Alto, 2020). The platforms provide insights that are extensive in breadth and depth adequate enough for security purposes.
Recommendation for Improving Security Posture within the API Space.
An improvement to security within the API space is best achieved by combining documented best practices and technology for monitoring and enforcing policies (Keil, 2020). Consequently, API security becomes part of the compliant controls implemented with systems hence ensuring that sensitive and confidential information is protected, the infrastructure being used need to be compliant with the predetermined regulations hence having the right security controls that will keep confidential information secure whether while being transported, processed or stored, an extensive secure network will have a competent antivirus management, scan vulnerabilities, secure audit trail and track available resources.

References
APIS. (n.d.). Everything you need to know about Alibaba’s APIs. BBVA API_Market. https://www.bbvaapimarket.com/en/api-world/everything-you-need-know-about-alibabas-apis/
Google. (2021). Data security | How Google protects your business’ data. Google Safety Center – Stay Safer Online. https://privacy.google.com/businesses/security/#!?modal_active=defense-in-depth-overlay&article_id=processes-for-secure-operations
Hall, S. (2020, February 27). Data theorem: API security from mobile to Serverless. The New Stack. https://thenewstack.io/data-theorem-api-security-from-mobile-to-serverless/
Keil, M. (2020, September 2). Aite group research validates API security gaps. Cequence. https://www.cequence.ai/blog/aite-group-research-validates-api-security-gaps/
Palo Alto. (2020). Noname launches from stealth to eliminate API security chaos for enterprises. AFP.com. https://www.afp.com/ar/news/1313/noname-launches-stealth-eliminate-api-security-chaos-enterprises-202012150054101
Salt Security. (2019, January 29). Salt security unveils industry’s first solution to identify and prevent API attacks. GlobeNewswire News Room. https://www.globenewswire.com/news-release/2019/01/29/1706913/0/en/Salt-Security-Unveils-Industry-s-First-Solution-to-Identify-and-Prevent-API-Attacks.html
Yalon, E. (2020, July 27). Why you need to think about API security. Dark Reading. https://www.darkreading.com/application-security/why-you-need-to-think-about-api-security/a/d-id/1335861

Published by
Essays
View all posts