How to Embrace API Security with AI Innovation: Expert Analysis

KEY TAKEAWAYS

  • API security threats are on the rise with studies indicating 1 out of 4.5 organizations being impacted every week in 2024.
  • Cloud-based organizations are especially vulnerable and manual API security is no longer enough.
  • As the growing number of APIs makes manual security impractical, AI and machine learning (ML) become essential for automating security tasks and identifying risks.
  • AI-powered security tools can help detect anomalies, analyze data patterns, and identify potential vulnerabilities in APIs but require best practices.
  • Proactive security and penetration tests also establish themselves for their great value in the API sector.
  • AI in API can be used to improve security, but also comes with challenges.

APIs —  Application Programming Interfaces that act as messengers between different programs — are used by billions of people everyday, usually without them even knowing it.

But behind the scenes, the global API infrastructure that powers programs, apps, and systems on the web, cloud, edge, mobile, and more, is being forced to adapt to the era of artificial intelligence.

AI systems use APIs for a wide range of processes, including acting as the bridge between the AI model and the data or services it needs to access. In simple words AI API efficiencies are fundamental for the AI revolution.

However, cybercriminals are also leveraging this new innovative technology to launch AI-powered cyber attacks.

Techopedia talked to API experts about the role of APIs in the modern era, how API developers are adapting, and what the new tools and best practices developers are leaders need to consider.

APIs and AI: A Criminal Target That Is Only Getting Bigger

The CheckPoint Research report Shadowed Menace: The Escalation of Web API Cyber Attacks in 2024 found that API attacks are accelerating in 2024  —and that 1 in 4.6 organizations worldwide were impacted every week throughout the first month of 2024 by API attacks.

The figure represents a 20% increase compared to the same month in 2023. Check Point Research concludes that APIs have become “a focal point for cyber attackers.”

Erik Severinghaus, Founder and CEO of Bloomfilter — a company that helps businesses streamline efficiencies throughout the software development lifecycle — warned of the dangers of keeping APIs unprotected in this day and age.

“In a world where APIs are the secret sauce to digital innovation, leaving them unprotected is like forgetting to lock your diary in a house full of nosy siblings.

“I’ve spent a fair chunk of my life tangled up in APIs and AI. If you’re knee-deep in the tech world, you know that APIs are the unsung heroes behind the scenes, ensuring all our digital devices and services play nicely together,” Severinghaus said.

“But with great power comes great responsibility, especially regarding security.”

Severinghaus explained that APIs are everywhere, from powering smartphone weather apps to processing payments.

“The more we depend on APIs, the bigger the target they become.”

The Days of Securing APIs Manually Are Gone

Eric Schwake, Director of Cybersecurity Strategy of Salt Security —  an API security platform — described how the world of APIs is transforming due to new technologies.

“Manual approaches to securing APIs are becoming nearly impossible, so AI and machine learning (ML) allows security teams to more rapidly determine risk and lower the attack surface associated with increased API usage.”

He explained that AI-ML-powered security tools are important when thinking about API security “simply because of the scope of importance of APIs for organizations.”

He also highlighted the importance of APIs in new digital eras.

“APIs are the lifeblood of today’s modern digital transformation.

“They are responsible for all the transactions between applications, both private and public.  As such, it’s critical to consider not only the security of APIs but also implementing API posture governance,” Schwake said.

API and APP Overabundance Expands Digital Attack Surface and Creates Risks

The latest State of the Internet report by Akamai, Lurking in the Shadows: Attack Trends Shine Light on API Threats, also revealed eye-opening stats, with 29% of web attacks targeting APIs over the 12 months to December 2023.

Rupesh Chokshi, Senior Vice President and General Manager, Application Security of Akamai, spoke to Techopedia about the findings of their report and the importance of APIs in modern times.

“This indicates that APIs are a focus area for cybercriminals. It’s clear we need to switch gears to proactive mode to defend our API landscapes.

 

“We’ve found that enterprises often have over 1,000 apps in order to keep up with the infrastructure needed to support the demand. As businesses increasingly use APIs to connect to partners, suppliers, and customers, their expanding API estates open them up to risk.”

Innovation in API AI Security

The Postman’s 2023 State of the API Report revealed that companies are investing heavily in APIs.

92% of respondents said that organizations’ investment of time and resources into APIs will increase or stay the same over the next 12 months.

CEOs were found to be more bullish than developers, with 53 % of them saying API investments would increase in the coming year, while 44% of developers said the same.

But in this ever-expanding API universe, the sector is challenged by zero-day exploits on the rise as app and software releases increase. Additionally, “shadow APIs” — APIs released with poor quality checks — and “Zombie APIs” — deprecated but not disabled — along with other new attacks like AI bots, AI injection, and authentication attacks impact the sector.

Naturally, to counter AI attacks, API developers are beginning to integrate AI and machine learning in new ways.

Schwake of Salt Security walked Techopedia through the inner workings of its newly announced AI-powered knowledge-based assistant Pepper. With Pepper, the company offers AI to empower developers and help them build APIs with AI-assistants features.

Developers can ask Pepper questions such as “How do I add a new posture rule?” and Pepper will respond almost immediately with informative steps, alleviating the time-consuming process of searching Knowledge Bases (KB). Pepper can be used as an all-knowing personal assistant to API security and compliance.

Schwake said: “Pepper provides users of Salt an easier way to find actionable information on how to use the platform using natural language searches.

“This is different from KB’s of old where you would search for something and then have to sift through one or more full KB articles to find the nugget of information you were looking for.”

AI is praised for its speed, automation potential, ability to remove human error, ability to search large databases, and generating responses with agility and accuracy. But Schwake warns that it is important to understand that while AI speeds up the production of APIs, it also increases the attack surface.

“Security leaders and developers need to develop policies to ensure the security of API development and, as mentioned, incorporate API Posture Governance strategies across the ecosystem.”

AI API Security: Best Practices and Tech

Severinghaus from Bloomfilter says that AI in API is crucial.

“Traditional security tools just can’t keep up; they’re playing checkers while cybercriminals are playing chess. By bringing AI into the mix, we’re not just playing catch-up — we’re aiming to stay several moves ahead.

 

“If you’re working on an API, think security first, not last. Weaving AI security tools into the fabric of your API from day one is like building a house on solid rock instead of sand.”

Chokshi from Akamai said that pattern recognition and data analysis are key to preventing the most common API vulnerabilities. These two areas can be heavily supported by AI.

“When we’re securing APIs, we are not just looking at signatures; we are also looking at behavior to catch irregular API activity that may indicate a threat,” Chokshi said.

”We’re also collecting data in our data lake to ensure that we can analyze patterns over a long period of time to identify issues that could be exploited in the future.”

Chokshi explained that AI security tools can support developers in critical ways from the start of each project in order to ensure APIs are purpose-built for production.

“From automating API testing to enabling targeted remediation, AI security tools allow developers, AppSec teams, and SecOps teams to drive innovation quickly without the manual, in-between steps.”

Akamai recently created a technical alliance with Apiiro to offer code-to-runtime protection. Chokshi broke down the tech in simple terms:

“If Akamai’s API security alerts on an API, Apiiro’s platform can automatically identify the exact problem that triggered the alert and contact the developer responsible, which saves teams the time of tracking down the issue and the person responsible.”

Hands-on Ethical Hacking Advice for Leaders

Dr. Katie Paxton-Fear — an API ethical hacker with a Ph.D. in cyber security and AI and currently Technical Marketing Manager at Traceable AI, also spoke to Techopedia about API security.

“Unfortunately, because APIs live on the backend, often developers make APIs for themselves and forget that anyone can access them if the API is available online.”

Dr. Paxton-Fear said that by leveraging API security tools, organizations become less reliant on developers’ memories and can use clever tools and techniques to find where an API’s security falls short.

“By using AI instead of relying on clever tools and techniques, we can look at real data, real attacks, and real API data and apply lessons learned to new APIs. It’s like having an API security expert at your side, looking at all the data going through your APIs.”

Dr. Paxton-Fear said that while everyone, including developers, looks for ways to increase productivity with AI, a balance must be reached between enabling the next gen of AI-built software and security.

The basics of ethical hacking and penetration testing tools like vulnerability scans, data, and asset inventory, and knowing the organization´s digital architectures are more important than using AI, according to Dr. Paxton-Fear.

“Start with the basics, are you sure you know your attack surface? Do you know about every API deployment? Do you know what tools or libraries are in use APIs or not? If you don’t know the answers to these fundamental questions (and a lot of teams don’t!), you can’t rush to AI and the new shiny technology — you have to build it out.”

The Bottom Line

Despite the rapid pace and impact of AI, API developers can still secure their APIs using traditional API security, constant monitoring, AI and ML rules, real-time stats and response, and more hands-on methods like penetration testing.

As Severinghaus said, “Integrating AI into API security isn’t just a trend; it’s the path to a safer digital future.”

“APIs are at the heart of most digital transformations today, so it is paramount to understand the industry trends and relevant use cases, such as loyalty fraud, abuse, authorization, and carding attacks,” Chokshi concluded.

“You cannot defend against what you don’t see: Business leaders and developers should focus on continuous discovery and monitoring of APIs, understanding the full scope of API activity, and leveraging behavioral analytics to identify and mitigate sophisticated threats.”

As an AI API transformation happens globally, new API security technologies will continue being developed to automate security and compliance, and assist developers. AI API security, increasingly under attack, must innovate, shift left, and increase its defenses to stay ahead of the curve.

Related Terms

Related Article