Top of Akamai building with Akamai logo in blue and orage
July 30, 2019 Santa Clara / CA / USA – Akamai sign displayed at their headquarters in Silicon Valley; Akamai Technologies, Inc. is an American content delivery network (CDN) and cloud service provider

Akamai Technologies announced this week that it will acquire privately funded application programming interface threat detection and response firm Neosec, a finalist in the 2022 RSA Conference Innovation Sandbox Contest. The deal is set to close in June. Neosec’s employees, including co-founder and chief executive officer, Giora Engel, and co-founder and CEO, Ziv Sivan, are also expected to join Akamai’s security technology business.

The acquisition speaks to the wake-up call moment: the growing importance of API risk detection and attack remediation as part of always-on detection and response, and the ascendance of more holistic security platforms.

In the latter circumstance, IT companies like Cisco, Check Point and others are offering a holistic single platform alternative to a multiple-vendor approach — one focused on myriad security software-as-a-service solutions to specific vulnerabilities — rather like dozens of proverbial Hollanders plugging known leaks with their thumbs but not addressing the big picture.

Rupesh Chokshi, general manager of application security at Akamai, explained that the acquisition brings much-needed expertise in API to Akamai.

SEE: Coordinated cybersecurity is security aligned with business goals (TechRepublic)

“There are a number of things we have become really good at, but we haven’t focused on API interactions. With this new capability we are able to see anomalies: Why are these calls being made? What is the data shared or traversed, what known vulnerabilities are we seeing? We will now have the ability to quickly alert the customer that this is what’s going on,” Chokshi said.

Mani Sundaram, executive vice president and general manager of the security tech group at Akamai said, “Enterprises expose full business logic and process data via APIs, which, in a cloud-based economy, are vulnerable to cyberattacks. Neosec’s platform and Akamai’s application security portfolio will allow customers to gain visibility into all APIs, analyze their behavior and protect against API attacks.”

API attacks on the rise

Security firms are seeing a brisk increase in API threat activity. Salt Security, in its March State of API Security report noted a 400% increase in attackers over the prior six months. The report also found:

  • 80% of attacks happened over authenticated APIs.
  • Nearly half of respondents now state that API security has become a C-level concern.
  • 94% of survey respondents experienced security problems in production APIs in the past year.
  • 70% said their organizations suffered a data breach as a result of security gaps in APIs.

One example illustrates how effective a relatively simple API attack can be: the NCC Group, in its 2022 annual Threat Monitor, noted that Australian telecom Optus had the personal information of 10 million customers exposed in a data breach accessed through an exposed API.

Roey Eliyahu, co-founder and CEO, Salt Security noted that while APIs are powering digital transformation delivering new business opportunities and competitive advantages, “The cost of API breaches, such as those experienced recently at T-Mobile, Toyota and Optus, put both new services and brand reputation, in addition to business operations, at risk.”

Akamai’s State of the Internet report noted the inclusion of API vulnerabilities in the upcoming Open Web Application Security Project API Security Top 10 release is emblematic of growing industry awareness of API security risks.

Risk grows with increased speed of software development

The Akamai report cites two factors driving the increase in API attack volume. One is acceleration in the application development lifecycle, which “requires a faster turnaround in creating and deploying these applications in production, which could result in a lack of secure code,” said the report.

Akamai cited Veracode’s Enterprise Strategy Group survey, in which 48% of organizations stated that they release vulnerable applications into production because of time constraints (Figure A).

Figure A

graph for The top verticals impacted by web application and API attacks, 2021 vs. 2022.
Image: Akamai. The top verticals impacted by web application and API attacks, 2021 vs. 2022.

Akamai also reported the number of vulnerabilities is on the rise, with one-tenth of all vulnerabilities in the high or critical category found in internet-facing applications. The report also said open source vulnerabilities like Log4Shell doubled between 2018 and 2020.

Attackers see APIs… but do you?

Akamai said that among other things, Neosec’s solution provides visibility of APIs — which is of critical importance because organizations often don’t know where, or how many APIs they have below the digital decks.

“That is priority number one,” said Chokshi. “In security language, it’s discovery and visibility. And it’s going to be interesting because customers want the baseline: they want to understand (their API exposure).”

Because large organizations can have thousands of apps, they often want to focus on high-risk APIs, because they can’t handle everything at once, he added.

“They are using lots of different exit points, API gateways like (Google Cloud’s) Apigee, or Kong, or load balancers like F5, so there’s this whole complexity that each enterprise environment has that we have to work with customers to tackle as we go forward. The end objective would be visibility and discovery figured out, and intelligence, and then work on protection: How much of this can we do with blocking, how much with response and can we automate?” Chokshi said.

Former FBI Special Agent Dean Phillips, executive director of public sector programs at API security firm Noname said the risks are multiplied by visibility issues, a perennial problem with enterprises with large and growing numbers of integrated applications and interfaces.

“We have found that in private security upwards of 30% of APIs that are active in an environment are unknown by users,” he said “So there is quite a lot that goes on that users just aren’t aware of, including movement of sensitive data, not just names and addresses but social security numbers, birthdays, that the application doesn’t necessarily need or use. It’s a major problem. If you don’t know what you have, or what it’s  doing, how do you protect it?”

Rising API attack incidents in 2022

According to Google Cloud Cybersecurity Action Team’s April 2023 Threat Horizons Report, the rise in API compromise was a factor in one-fifth of incidents last year. According to the report, customers delayed security upgrades because “they worried that such upgrades might also bring unanticipated API changes, which might undermine their applications’ functionality.”

The report said, however, that APIs do not actually change with minor upgrades, addressing Kubernetes cluster’s overall operating environment, and the scope of the updates can be controlled. “Customers were not always aware of this configuration option, however,” the report said.

Growing focus on API security

Because of the ubiquity of APIs as intermediaries in more and more cloud native transactions, Chokshi said he sees the API security market potentially becoming a security superset.

“The interactions will be that much greater because of areas like the automotive industry, healthcare, and smart cities, versus classic end user or mobile applications,” he said.

“You also have a lot of businesses where APIs are critical to the back end: A customer is trying to open an app or account, and in the back end there is a credit check, or other actions. More and more business-to-business transactions taking place in this cloud economy, including supply chains, are API-driven. The API market, in general, is rapidly growing and the tooling that is required to keep up is lacking. Security becomes even more important because of that,” Chokshi added.

Phillips agrees APIs are an energetic space. “It’s becoming white hot, and lots of folks are trying to get involved in API security because there’s a growing recognition that they are the number one attack vector,” he said, noting that in 2022, Gartner had estimated that by last year, APIs would be the No. 1 attack vector. “And we have seen tremendous growth,” Phillips said.

API surveillance joins the platform

Alamai’s acquisition follows a shift away from single-point solutions to comprehensive services — from products to platforms — the virtues of which industry consultants have been extolling for years.

“It’s a constant conversation between best-of-breed technology and platform solutions,” said Wendi Whitmore, SVP of Palo Alto Networks’ Unit 42 team. “The discussion previously had been one or the other. I will say that our ability to provide a much broader range of solutions across technology is really compelling, and I will say the majority of our products are best of breed. It will be tougher for organizations to compete in a world solving one small problem,” she said. “There is never one single silver bullet. It’s too complex today.”

Chokshi said Akamai’s acquisition — and a security-platform approach to cyberdefense — allows the firm to benefit from adjacency so that an attacker doesn’t get lost in transit between one point of visibility (or security product if the organization is using multiple vendors) and another. “We are already providing a high level of protection, they are comfortable with our portals and platforms and so this becomes an additional capability in that same continuum.”

Phillips, who said Noname employs a “left of boom” approach — essentially shifting left to address API vulnerabilities before an incident makes them obvious — predicts there will be more consolidation that brings API security capabilities under the aegis of major players. “There’s enough recognition in the industry that API security is growing. APIs have been around for a long time but recognition of vulnerabilities hasn’t. Attacks are increasing but the question becomes what’s the impact? Is the pain of the attack enough to drive action?”