Why SaaS CEOs must prioritise API security to build resilience
A SaaS CEO does all the hard work of achieving product-market fit, closing a few marquee customers, building a solid tech stack, and even implementing a web application firewall to protect the applications. However, just as the CEO starts to scale, an API vulnerability is exploited and all hell breaks loose. Customer trust is compromised and years of brand-building efforts go down the drain.
The threat is real. According to Gartner, by the end of 2022, API attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.
Lack of visibility into APIs as a result of inaccurate or incomplete inventory is the biggest challenge when it comes to API security. It is estimated that nearly 30% of APIs remain unknown to the enterprise. Further, more than one-fourth of all firms using production APIs don’t have a security policy in place.
No SaaS provider is immune to API attacks. In 2021, we saw several big technology companies take a hit. A case in point is that of a credit bureau wherein there was an API that was responsible for verifying credit worthiness of individuals using basic information including their name, address, and date of birth. In a bid to create an API that was easily accessible to a large number of clients, there were some loopholes in the authentication.
If a large-scale information theft had taken place, it would have been a major privacy crisis causing a blow to the company’s reputation and a huge financial loss. Another example is that of a popular social network wherein the data of hundreds of millions of users was leaked online including their profile information and email IDs.
Such instances are highly damaging for organisations. Even if the crisis is managed and the damage is contained, the question arises—isn’t prevention better than cure?
In today’s digitally-driven business ecosystem where SaaS solutions are helping run almost every industry, building stronger API security frameworks can lead to benefits at a global scale. So, what can the CEO of a SaaS company do to counter such an imminent and prevalent threat to his/her businesses?
A three-step approach is required to prevent API exploitation in enterprises.
Identification of major API risks
Open Web Application Security Project (OWASP), a leading non-profit organisation, released a detailed report on the top 10 vulnerabilities in APIs.
To summarise, Shadow APIs, Rogue APIs, and Zombie APIs are exploited the most. Shadow APIs are non-documented third-party APIs. Rogue APIs are not authorised by the organisation and were created with the intent to cause harm. Zombie /Deprecated APIs are no longer maintained or supported by the provider.
API discoverability and protection
The foundation of strong API security can only be built once there is visibility and a listing of all APIs deployed. That is where a system that can continuously discover new APIs and add them to the inventory will help organisations in defining the “attack surface” or points that can be targeted by an attacker. This phase is called API discovery.
After this comes API Protection where a multi-layered security system identifies and protects against various threats such as DDoS and bot attacks. A key point to note is that using an API gateway for protection might not be enough. You will need a solution that lies on the edge and protects APIs from outside-in attacks.
Measuring the efficacy of API protection
It is important to answer the following question: Do your CTOs or CPOs have security-focused KPIs such as the percentage of vulnerabilities patched, #DDoS attacks blocked, and so on? After all, if you want to take a proactive stance on security, assigning such KPIs is a good idea. It is time to go beyond the standard CTO KPIs such as uptime, downtime, the number of bugs identified/fixed, and so on.
Cyber attackers are like microorganisms in the air. You cannot eliminate them all, but you can ensure that you plug all vulnerabilities and make your SaaS solutions resilient and immune to intrusions. There are proactive and preventive API security solutions available in the market that you can deploy and build the desired resilience to enjoy uninterrupted growth and business performance!
Edited by Kanishk Singh
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)