Application programming interfaces (APIs) are increasingly central to modern enterprise computing key concepts in software development from simple programs to the most advanced design and architectural considerations that have become the connective tissue of the digital world.\n\nAn API provides an interface that allows software developers to programmatically interact with software components or resources outside of their own code, applicable everywhere from command-line tools to microservices and cloud-native architectures.\n\nHowever, the growing use of APIs gives attackers more ways to break authentication controls, exfiltrate data, or perform disruptive acts. By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII). Meanwhile, existing security tools often struggle to detect and mitigate API-specific threats, leaving organizations vulnerable to compromise, abuse, and fraud.\n\nA recent report from Traceable AI revealed that 60% of organizations have faced an API-related breach in the last two years, with 74% of these enduring three or more incidents. Only 38% of businesses can discern intricate context between API activity, user behaviors, and data flow, with 57% stating that traditional security solutions are unable to effectively distinguish genuine from fraudulent API activity.\n\nMost tellingly, 61% of surveyed organizations anticipate rising API-related risks in the next two years as they deal with an average of 127 third-party API connections, with just 33% confident in managing external API threats.\n\nAPI security is becoming increasingly important\n\nAPI security is rising up the agenda for many organizations and within the cybersecurity community. \u201cAPI security is now a hugely important consideration, with unsecured or misconfigured API\u2019s representing a great opportunity for threat actors to gain access to a targeted network,\u201d Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, tells CSO.\n\nIn 2023 and beyond, API security will become increasingly imperative as organizations continue their trend toward cloud services, enabling the digitization of large data sets, services, and products. \u201cWith this move, the attack surface of susceptible APIs increases, so the requirement to harden API services \u2014 and protect business operations, customers, and data \u2014 will be more important than ever,\u201d Morgan says.\n\nJeremy Snyder, CEO and co-founder of security company FireTail, tells CSO that at the recent Black Hat USA conference he spoke with several people in the travel industry who said that the points.com API security issues are causing many in the sector to start taking API threats seriously. \u201cSimilarly, the automotive industry is now viewing connected cars and autonomous vehicles as smart devices with large volumes of telemetry data. Security disclosures and API-based proof of concept exploits have given this industry reason to examine API security more closely as well,\u201d he says.\n\nHere are six notable initiatives, programs, and resources launched this year to help improve and develop API security.\n\nGSMA launches open network API initiative\n\nIn February, the global mobile trade association GSMA unveiled the GSMA Open Gateway \u2014 a framework designed to change the way the telecoms industry designs and delivers services in an API economy world, including cybersecurity.\n\n\u201cBy applying the concept of interconnection for operators to the API economy developers can utilize technology once, for services such as identity, cybersecurity or billing, but with the potential to be integrated with every operator worldwide,\u201d says Mats Granryd, director general of the GSMA.\n\nThe GSMA Open Gateway Memorandum of Understanding (MoU) is supported by some of the world\u2019s largest and most innovative mobile network operators including BT group, Vodafone, AT&T, Verizon, and Orange.\n\nTraceable AI releases API security reference architecture for zero trust\n\nIn June, security startup Traceable AI released API Security Reference Architecture for Zero Trust, a guide for integrating API security into zero trust security initiatives, which have traditionally focused on network-level controls\/identity access management. The architecture is aligned with the NIST Zero Trust Architecture, a publicly available, vendor-neutral framework widely adopted by government entities as well as by many leading cybersecurity vendors.\n\nBy leveraging the NIST framework, the architecture ensures compatibility, interoperability, and adherence to industry standards, making it a reliable and trusted resource for organizations implementing zero trust for their APIs, Traceable AI said. The guidance outlines:\n\nF5 publishes free API security best practices eBook\n\nIn June, F5 published API Security Best Practices: Key Considerations for API Protection, a free eBook outlining the various API security challenges and risks organizations face along with strategies for security and risk teams to strengthen API security in their companies.\n\n\u201cAPIs facilitate a decentralized and distributed architecture with endless opportunities for third-party integration that fundamentally changes the calculus for security and risk teams,\u201d the eBook read. F5\u2019s security guidance includes continuously monitoring and protecting API endpoints as well as reacting to a changing application lifecycle.\n\nCISA, partners issue cybersecurity guidance on web application access control abuse\n\nIn July, the Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA) issued a joint cybersecurity advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.\n\nIDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web API, specifying the user identifier of other, valid users. IDOR attacks are one of the most common and costly forms of API breaches, and requests succeed where there is a failure to perform adequate authentication and authorization checks.\n\nOWASP updates top 10 API security risks list\n\nIn July, the Open Worldwide Application Security Project (OWASP) published the API Security Top 10 2023 list, detailing the 10 biggest API security risks posed to organizations. It was the first time the API-specific risk guidance had been updated since its launch in 2019, part of OWASP\u2019s API Security Project. \u201cSince then, the API security industry has flourished and become more mature,\u201d OWASP wrote.\n\nThe primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations. The latest API security list is:\n\nSalt Security launches STEP program to strengthen API security ecosystem\n\nIn August, Salt Security launched the Salt Technical Ecosystem Partner (STEP) program, an initiative aimed at integrating solutions across the API ecosystem and enabling organizations to strengthen their API security postures. The program is designed to move businesses to a risk-based approach for API testing, help focus scanning efforts on priority APIs, and reduce friction for DevOps and DevSecOps teams.\n\nPartners include dynamic application security testing (DAST) firms Bright Security, Invicti Security, and StackHawk, and interactive application security testing (IAST) company Contrast Security.\n\n\u201cTo deliver a strong AppSec program, developers need access to best-of-breed technologies that simplify finding and fixing vulnerabilities before deploying code to production,\u201d said Joni Klippert, CEO of StackHawk. Given the explosive growth of API development, she added that teams prioritize and automate security testing for their APIs and do so in a way that seamlessly integrates with developer workflows.