The use of application programming interfaces (commonly known as APIs) is surging as companies rely on customer-facing apps for sales and internal apps for operations.

The average number of APIs per customer grew 82% from July 2021 to July 2022, with overall API traffic per customer increasing 168% in the same period, according to data published by Salt Security Inc. Unsurprisingly, malicious API traffic is mirroring this trend, with criminals taking advantage of the lucrative loopholes offered by APIs.

Retail customers monitored by Cequence Security Inc. were hit with a 2,800% increase in account takeover attacks in 2021, with an average of 700,000 attacks per day by criminals scraping information in order to commit fraud, according to the company’s “API Security Threat Report.”

“APIs make the attacks easier because APIs are well documented,” said Ameya Talwalkar (pictured), founder and chief executive officer of Cequence Security. “You want your partners and programmers to use your API ecosystem, but at the same time the attackers are getting the same information and they can program against those APIs very easily.”

Talwalkar spoke with theCUBE industry analyst John Furrier, in advance of the “Cybersecurity — Detect and Protect Against Threats” event, an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio, airing on Sept. 7. They discussed the importance of inventorying and protecting a company’s API assets. (* Disclosure below.)

Ulta Beauty incident shows how online attacks lead to physical crime

Cequence got its start helping early FinTech companies protect their APIs, which often linked to sensitive financial services applications. The problem has evolved exponentially in terms of volume, size, pain and ultimate financial losses, according to Talwalkar. Today, Cequence protects close to 6 million API transactions each day, covering more than $2 trillion in customer assets across 2 billion accounts, and the company has seen a 410% increase in users over the past year.

Bot and automated attacks constitute the majority of the attacks seen by Cequence. This tendency is partially driven by the availability of bots-as-a-service, which attackers can use for malicious ends. The company has also identified another interesting trend in the blurring of the line between cyber and traditional crime.

One example that demonstrates how cybercrime can have a very physical payoff comes from Cequence customer Ulta Beauty Inc. The company was selling a line of high-end, very expensive curling irons that were in high demand and low supply. Using a bot, malicious actors scraped a third-party service that was providing local inventory information for the curling irons. Then the criminals physically broke into these locations and stole the inventory, which they were then able to sell.

“That’s the kind of abuse that can go on with APIs even when the APIs are perfectly secure [and] they’re using appropriate security controls,” Talwalkar stated.

After identifying that the attack was happening through a 700x spike in normal volume, Cequence and the Ulta Beauty team put policies in position to block the malicious requests. The incident shows the importance of implementing zero-trust policies.

“They had trusted this third party to be absolutely safe and secure — no controls necessary to sort of monitor their traffic,” Talwalkar pointed out.

The API protection life cycle

Protecting APIs means securing the entire life cycle, according to Talwalkar. And Cequence has established a six-step process to ensure this happens.

“The first half of this life cycle is really making sure your APIs are secure, they’re using proper hygiene. The second half is about attack detection and prevention,” Talwalkar said.

Rather than proactively securing their API lifecycle, companies approach Cequence for help when they have an acute painpoint they need solving.

“They say, ‘Our hair is on fire, our hair on fire! Solve this problem for us,’” Talwalkar said.

Most of the time when Cequence starts to solve an urgent problem, it discovers hidden API insecurities that the company didn’t know existed and routine assessments also reveal larger issues. One large U.S. telco company provides an example. The company requested a simple inventory and risk assessment of all its APIs. However, once Cequence started creating an inventory and looking at the risk profile, “we also observed that these same APIs were targeted by bots and fraudsters doing all kinds of bad things,” Talwalkar stated.

This “outside looking in view” is unique to Cequence, according to Talwalkar. The company also differentiates in its focus on lifecycle protection; the depth of its detection that encompasses fraud, business logic abuse, and bot attacks; and the scale of APIs it can protect.

“We can prevent the attacks that we detect in the same platform without reliance on any other third-party solution,” Talwalkar explained.

First find the hidden APIs, then start the security journey

Inviting Cequence to make that external assessment and map a company’s APIs leads to an “aha moment” 90% of the time, according to Talwalkar. Issues that commonly show up include public-facing APIs that were not supposed to be public, unknown hosting environments, and API gateways that were not commissioned but are being used.

Another finding that surprises companies is that it’s not poorly secured APIs that get attacked. Instead, criminals go for the lowest-hanging fruit: the proliferation of completely unsecured APIs that, according to Talwalkar, most security teams don’t even know are hidden within their environments.

“How do you protect something that you don’t know even exists?” he asked. “Start with the assessment, figure out the APIs that are out there, and then start your journey.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s pre-event coverage of the “Cybersecurity — Detect and Protect Against Threats” event:

(* Disclosure: Cequence Security Inc. sponsored this segment of theCUBE. Neither Cequence nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE