Hidden APIs: Are Blind Spots Exposing Public Sector Agencies to Attack?

One of the biggest challenges I see, time and again, is a lack of visibility into network vulnerabilities. Many organizations simply don't know how many APIs they have in use. We’ve conducted API discovery exercises for clients who thought they had around 100 APIs, only to uncover closer to 30,000! This isn't unusual and poses a significant security risk.

APIs operate in complex ecosystems, hidden amongst a patchwork of architectures, components, types, and protocols. On average, organizations use over 20,000 APIs. By 2030, the total number of APIs in use across the public and private sector is expected to exceed 2 billion. Challenges in managing and securing these most commonly exist in a lack of documentation or a difficulty in discovery. 

This “shadow IT” phenomenon, where unknown or unmanaged APIs proliferate, creates a breeding ground for vulnerabilities. These APIs often lack proper security controls, making them easy targets for malicious actors. Think of it like leaving unlocked doors and windows in your house—it's an open invitation for those wanting to intrude. 

APIs are increasingly being targeted by both nation-state actors and cybercriminal organizations. Government and defense-related APIs are just as vulnerable as public-facing ones. Arguably, they’re even more attractive as targets due to the sensitive data they handle.

APIs can be used as entry points for deeper attacks into networks. A compromised API can provide access to internal systems, databases, and other critical resources. It's like finding a secret passage into the heart of your organization. As we saw in the case of T-Mobile, the U.S.-based network operator, threat actors can exploit API vulnerabilities to gain unauthorized access to confidential data that has a value on the dark web. In this case, attackers stole the personal information of 37 million current customer accounts. 

To make things even more complicated, an organization may not fully control all the APIs that make contact with their systems. 

The U.S. Treasury Department attackers gained access through a vulnerability in a third-party software component—ironically, software that formed part of its cyber defense. These supply chain attacks can impact organizations of any size and status, with numerous examples such as the Solar Winds attack and Volt Typhoon group hitting the headlines.

Robust API security measures require no stone left unturned. Our 2024 State of Application Strategy Report: API Security reveals which APIs appear to face the most risk, which are commonly missed from protection, and how API security models and responsibilities may need to adapt to keep APIs safe in the AI era. Spoiler alert: zero trust security has a blind spot too, unless it also embraces APIs. 

AI both exacerbates and assists with API security. Gartner estimates that AI adoption will drive more than 30% of the increased demand for APIs by 2026, due to the number of APIs that large language models need to collect and exchange data. Each API requires documentation and security, creating a host of opportunities for malicious intent.

Fortunately, organizations aren’t defenseless, and AI is emerging as a powerful defensive tool. AI and machine learning can analyze API traffic in real time, detecting anomalies and suspicious behavior that would be impossible for humans to identify manually.

AI can classify APIs, understand normal behavior patterns, and flag potential misuse or security vulnerabilities. It can also be used to generate security policies dynamically, adapting to evolving threats and ensuring that your APIs are always protected. It's like having a tireless, intelligent security guard constantly monitoring your API traffic.