How to secure APIs through AI innovation: An expert analysis

APIs - application programming interfaces that act as messengers between different programs - are used by billions of people every day, usually without them even realizing it.

But behind the scenes, the global API infrastructure that powers programs, applications, and systems on the web, cloud, edge, mobile, and more is being forced to adapt to the age of artificial intelligence.

AI systems use APIs for a wide range of processes, including as a bridge between the AI model and the data or services it needs to access. Simply put, the effectiveness of AI APIs is at the heart of the AI revolution.

However, cybercriminals are also utilizing this new innovative technology to conduct cyberattacks using artificial intelligence.

Techopedia spoke with API experts about the role of APIs in the modern era, how API developers are adapting, and what new tools and best practices lead developers need to consider.

APIs and AI: a criminal target that's only getting bigger

CheckPoint Research's Shadowed Menace: The Escalation of Web API Cyber Attacks in 2024 report states that API attacks will accelerate in 2024, with 1 in 4.6 organizations worldwide experiencing an API attack every week during the first month of 2024.

This figure is a 20% increase from the same month in 2023.Check Point Research concludes that APIs have become "the center of attention for cyber attackers."

Eric Severinghaus, founder and CEO of Bloomfilter, a company that helps enterprises improve the efficiency of the software development lifecycle, warned of the dangers of insecure APIs these days.

"In a world where APIs are the secret sauce for digital innovation, leaving them unprotected is like forgetting to lock your diary in a house full of nosy siblings.

"I've spent a fair share of my life involved with APIs and artificial intelligence. If you're knee-deep in the tech world, you know that APIs are the unsung heroes behind the scenes making sure all of our digital devices and services work smoothly," says Severinghaus.

"But with great power comes great responsibility, especially as it relates to security."

Severinghaus explained that APIs are used everywhere from weather apps for smartphones to payment processing.

"The more we depend on APIs, the bigger a target they become."

The days of manually securing APIs are a thing of the past

Eric Schwake, director of cybersecurity strategy at Salt Security, an API security platform, discussed how the world of APIs is being transformed by new technologies.

"A manual approach to API defense is becoming nearly impossible, so AI and machine learning (ML) allow security teams to identify risk faster and reduce the attack surface associated with increased API usage."

He explained that AI-ML-based security tools are important when considering API security "simply because of the scale of the importance of APIs to organizations."

He also emphasized the importance of APIs in the new digital age.

"APIs are a vital component of today's digital transformation.

"They are responsible for all transactions between applications, both private and public. So it's very important not only to take care of API security, but also to implement API position management," says Schwake.

The overabundance of APIs and APPs expands the digital attack surface and creates risks

Akamai's latest State of the Internet report (Lurking in the Shadows: Attack Trends Shine Light on API Threats) also cites a startling statistic: 29% of web attacks will target APIs in the 12 months through December 2023.

Rupesh Chokshi, Senior Vice President and General Manager of Application Security at Akamai, spoke to Techopedia about the findings of his report and the importance of APIs today.

"This shows that APIs are being targeted by cybercriminals. Clearly, we need to switch to a proactive mode of protecting our API landscapes."

"We've found that enterprises often have more than 1,000 applications to support the infrastructure needed to meet demand. As enterprises increasingly use APIs to connect with partners, suppliers and customers, their expanding API ownership puts them at risk."

Innovations in API AI security

The Postman's 2023 State of the API Report showed that companies are investing heavily in APIs.

92% of respondents said that organizations' investments in APIs will increase or stay the same over the next 12 months.

CEOs were more optimistic than developers, with 53% saying that investment in APIs will increase in the next year, while 44% of developers said the same.

But in this ever-expanding API universe, the sector faces the challenge of zero-day exploits, which are on the rise as the number of application and software releases increases. In addition, the sector is affected by "shadow APIs" - APIs released with insufficient quality assurance and "zombie APIs" - outdated but not disabled - along with other new attacks such as AI bots, AI injection and authentication attacks.

Naturally, to counter AI attacks, API developers are starting to integrate AI and machine learning in new ways.

Salt Security's Schwake spoke to Techopedia about the inner workings of its recently announced AI-powered assistant Pepper. With Pepper, the company offers AI to empower developers and help them build APIs with AI assistant features.

Developers can ask Pepper questions such as "How do I add a new posture rule?" and Pepper will answer them almost immediately with informative steps, easing the time-consuming process of searching knowledge bases (KBs). Pepper can be used as an omniscient personal assistant for API security and compliance.

Schwake said: "Pepper gives Salt users an easier way to find useful information on how to use the platform using natural language search.

"It's different from the old KBs, where you searched for something and then had to scroll through one or more full KB articles to find the nugget of information you were looking for."

AI is praised for its speed, potential for automation, ability to eliminate human error, ability to search large databases, and generate answers with speed and accuracy. However, Schwake warns that it's important to realize that while AI speeds up API creation, it also increases the attack surface.

"Security managers and developers should establish policies to ensure API development is secure and, as mentioned, implement API Posture Governance strategies across the ecosystem."

AI API Security: Best practices and technologies

Bloomfilter's Severinghaus says AI in APIs is crucial.

"Traditional security tools simply can't keep up with us: they're playing checkers and cybercriminals are playing chess. With AI, we're not just playing catch-up - we're trying to stay ahead of the curve.

"If you're working on an API, think security first, not last. Weaving AI security features into the API structure from day one is like building a house on solid rock rather than sand."

Akamai's Chokshi noted that pattern recognition and data analytics are key to preventing the most common API vulnerabilities. These two areas can be greatly supported by artificial intelligence.

"When we protect APIs, we look not only at signatures but also at behavior to identify irregular API activity that could indicate a threat," Chokshi says.

"We also collect data in our data lake to provide pattern analysis over a long period of time to identify issues that can be used in the future."

Chokshi explained that AI security tools can provide critical support to developers from the beginning of each project to ensure that APIs are tailor-made for production.

"Security tools with artificial intelligence enable developers, AppSec and SecOps teams to rapidly innovate without manual intermediate steps - from automating API testing to targeted remediation."

Akamai recently formed a tech alliance with Apiiro to offer protection from code to runtime. Chokshi described the technology in simple terms:

"If Akamai's API security system triggers an alarm on an API, the Apiiro platform can automatically identify the exact issue that caused the alarm and contact the responsible developer, saving teams the time it takes to find the problem and the person responsible."

Practical advice on ethical hacking for executives

Dr. Katie Paxton-Fear, an ethical API hacker, PhD in cybersecurity and artificial intelligence, and currently technical marketing manager at Traceable AI, also spoke to Techopedia about API security.

"Unfortunately, because APIs live on the backend, often developers create APIs for themselves and forget that anyone can access them if the API is available online."

According to Dr. Paxton-Fear, by using API security tools, organizations rely less on developer memory and can use smart tools and techniques to find API security flaws.

"By using AI instead of relying on clever tools and techniques, we can look at real data, real attacks and real API data and apply the lessons learned to new APIs. It's like having an API security expert on your side looking at all the data going through your APIs."

Dr. Paxton-Fear noted that while everyone, including developers, is looking for ways to increase productivity with AI, a balance must be struck between creating the next generation of AI-driven software and security.

According to Dr. Paxton-Feer, the fundamentals of ethical hacking and penetration testing tools such as vulnerability scans, data and asset inventories, and knowledge of an organization's digital architecture are more important than the use of artificial intelligence.

"Start with the basics: are you sure you know your attack surface? Are you aware of every API deployment? Do you know which tools or libraries are using the API or not? If you don't know the answers to these fundamental questions (and many teams don't know them!), you can't throw yourself at AI and shiny new technologies - you have to build them."

Results

Despite the rapid development and impact of AI, API developers can still secure their APIs through traditional API security, continuous monitoring, AI and ML rules, real-time statistics and response, and more practical methods such as penetration testing.

According to Severinghaus, "integrating artificial intelligence into API security is not just a trend, it's a path to a more secure digital future."

"APIs are at the heart of much of today's digital transformation, so it's critical to understand industry trends and relevant usage scenarios such as loyalty fraud, abuse, authorization and onboarding attacks," concluded Chokshi.

"You can't defend against what you can't see: Business leaders and developers must focus on continuously detecting and monitoring APIs, understanding the full scope of API activity, and using behavioral analytics to identify and mitigate sophisticated threats."

As AI APIs transform globally, new API security technologies will emerge to automate security and compliance and help developers. AI API security, increasingly under attack, must innovate, shift left, and strengthen defenses to stay ahead of the curve.