Application Programming Interfaces (APIs) are the connective tissue between applications, devices, and services.
But by their very nature, they expose functionality to the outside world — creating an attack surface that malicious actors are eager to exploit.
Cloudflare has reported that API abuse attempts have skyrocketed by 177% in the past year, with credential stuffing attacks – where stolen login details are used to gain unauthorized access – being the most common tactic. Bot attacks are also targeting APIs, designed to overwhelm systems and steal sensitive data.
Against this backdrop, we sit down with Rupesh Chokshi, Senior Vice President and General Manager, Application Security at Akamai, to discuss the current state of API security, how artificial intelligence has impacted API security, and the strategies organizations can adopt to strengthen their API.
About Rupesh Chokshi
Rupesh Chokshi is Senior Vice President and General Manager of Akamai’s Application Security Portfolio, a growth pillar of Akamai’s Security Technology Group.
In this role, he leads product management, engineering, threat research, data science, operations, and go-to-market strategy across application security for industry-leading cybersecurity solutions: App & API Protector, API Security, Bot Manager, Account Protector, Brand Protector, and Client-Side Protection & Compliance.
- Show Full Guide
Major Threats to API Security
Q: What are the biggest threats companies face today in API security?
A: We live in an increasingly connected digital world where businesses and companies communicate heavily through APIs with partners, suppliers, and customers. This creates an expansive digital ecosystem and supply chain that relies on APIs.
However, many companies lack full visibility and inventory of how many APIs they have exposed to the internet or other applications.
Attackers are actively exploiting this API threat landscape. We’ve seen numerous public data breaches associated with compromised APIs where hackers penetrate the APIs to extract sensitive data.
API abuse is also common, with attackers constantly bombarding APIs to break in, steal data, manipulate loyalty program points, make fraudulent purchases, and more.
Some major API security threats include vulnerability exploits like broken object-level authentication that enables account takeovers and fraud. A recent example is Dell Technologies reportedly losing about 49 million customer records due to an API abuse incident.
Uncovering and Securing Shadow APIs: A Critical First Step
Q: A recent API report found that about 30% of APIs are shadow APIs, meaning they may not be inventoried or secured. What approach can organizations take to unravel this?
A: The first crucial step is establishing API discovery and visibility to catalog all the different APIs, understand normal versus abnormal traffic patterns, and gain a baseline of your API exposure. API security tools can scan and discover shadow, unmanaged APIs that developers may have left behind.
Without knowing your full API inventory and surface area, you can’t properly protect your attack surface. Visibility is key, then you can analyze those discovered APIs for vulnerabilities and exposure.
I often advise customers to apply zero-trust principles to the application layer and API security. Study your APIs, understand the risks, then put controls in place around discovery, posture management, runtime protection, and API testing. But you can’t secure what you can’t see, so comprehensive API discovery is the critical first step.
Embedding AI Securely: Minimizing Risks When Building AI/ML-Driven Applications
Q: In the next few years, we expect about every application to have AI model embedded in them via one API or another, what unique security considerations or threats do developers need to account for when choosing an API for AI/ML projects?
A: While the core threats like data breaches, ransomware, malware, account abuse, and API abuse remain the same, the sophistication of tools and techniques attackers wield continues to accelerate rapidly. Adversaries utilize AI to discover and scan APIs at a massive scale, identify vulnerabilities, and devise intricate attack chains.
Essentially, they are offloading tedious reconnaissance and planning to adversarial AI, while reserving human efforts for higher functions like infiltrating networks and monetizing stolen data.
This AI-powered efficiency is of serious concern as attacks become increasingly pervasive and indiscriminate across organizations of all sizes and industries.
To defend against these threats, developers must prioritize API security from the start with a “secure by design” mindset. Implement security practices like API discovery, risk analysis, runtime protection, and API testing integrated into the full development lifecycle.
The security implications and attack surface need to be continuously assessed as AI and machine learning models are embedded into more applications communicating over APIs.
Common API Security Pitfalls and How Akamai Helps
Q: What are some common mistakes that organizations make when it comes to securing their APIs, and how is Akamai helping?
A: Common mistakes include lacking full visibility into the organization’s API inventory and footprint, failing to implement adequate response and mitigation strategies when incidents occur, and not practicing secure API development with appropriate testing cycles.
Many organizations focus narrowly on protecting customer-facing websites and applications, while overlooking the myriad of other external and internal APIs that serve as potential entry points.
When attacks like credential stuffing or API abuse happen, some businesses struggle to respond properly and fail to implement mitigations to prevent recurrences. Having a well-defined incident response and hardening plan is also critical.
Third, not enough emphasis is placed on API testing during development before the code reaches production environments.
Akamai helps organizations gain comprehensive API visibility and discovery, protective capabilities, automated response workflows, and integrated security across the full lifecycle. Our solutions leverage AI, data analysis, and security experts to stay ahead of the evolving landscape.
Q: How do you see the landscape of API security evolving over the next 3-5 years?
A: Over the next 3-5 years, API security needs will continue growing exponentially as our reliance on highly connected digital ecosystems and application-to-application communications accelerates. Currently, adversaries have the upper hand because many enterprises lack sufficient API security controls and practices.
There is an immediate imperative for organizations to establish a standardized baseline of API security with full discovery, inventory management, vulnerability assessment, risk mitigation, and runtime protections. Without these fundamentals, companies will remain dangerously exposed.
In parallel, we expect to see increased API security demands emerge around AI/machine learning applications leveraging APIs.
C-suite executives like CIOs and CISOs now recognize API security as a top priority. Over the next few years, API security strategies and technologies will be an organizational imperative.
Rapid Pace of Innovation Keeps Chokshi Energized
Q: How do you keep yourself motivated daily?
A: I draw a lot of motivation from the incredibly talented and passionate people I get to work alongside in the cybersecurity industry. The constant stream of new threats and attack surfaces demands continuous innovation, learning, and drive to outmaneuver adversaries. It’s energizing to collaborate with brilliant minds tackling these complex challenges.
Additionally, my family, especially my two daughters and wife, provides immense motivation in my personal life. Engaging with my children’s unique generational perspectives and curiosities about the world around them is grounding and inspirational.
Chokshi Sees the Smartphone as the Top Productivity Gadget
Q: What is your best tech gadget and why?
A: While perhaps a more conventional choice, I find smartphones to be remarkably robust productivity tools packed with utility. The sheer acceleration of capabilities we’ve seen in recent years is phenomenal.
Having perpetual connectivity in the palm of your hand enables seamless transitioning between personal and professional tasks throughout the day.
On one device, I can handle work across messaging, video calls, document reviews, and remote application access.
But I can just as easily pivot to things like meditation apps, banking transactions, reading, entertainment, and more.
Smartphones consolidate the “work hard, play hard” lifestyle into a single indispensable gadget. Their versatility and increasingly powerful user experiences make them my top tech gadget.