DEV Community

Cover image for Why APIs have become a security nightmare for SMBs and enterprises
Nathan for BLST

Posted on • Edited on

Why APIs have become a security nightmare for SMBs and enterprises

Businesses, no matter how big or small, have to be careful with their data because someone could steal it or it could be accidentally leaked. Hackers don't discriminate based on the number of employees or the size of the IT budget. The same types of security risks impact businesses, whatever their size.
Day in and day out, small-to-medium businesses are targeted by cyber-attacks. They are often unaware of the risks they take on, which can include hacking, fraud, phishing, and more. A primary culprit of these attacks is the lack of understanding of APIs. In this essay, I will be discussing how SMBs and enterprises alike have been struggling with APIs as a mechanism for information security. According to Forbes, "the first half of 2018 was marked by an increase in API-related data breaches, with the 10 largest companies reporting the loss of 63 million personal records." The increasing number of reported API leaks has led many SMBs to consider taking steps to protect their customers.
These types of attacks can allow hackers to steal massive amounts of sensitive data, disrupt operations, and even take down websites. To protect against these attacks, businesses need to implement a wide range of strong API security measures such as authentication, authorization, encryption, and vulnerability scanning. The sheer number of options has a direct impact on the budget.

The fact that there are so many different APIs is the main challenge for enterprises when it comes to API security. Storing authentication credentials for the API is a significant issue. This can be compounded by certain enterprises using the Internet of Things (IoT) that don't have good security. Companies are realizing that they have to keep putting out fires on personal devices, leaving them vulnerable to attacks
The other issue with APIs is that once one is compromised, it's likely that all of your accounts are affected because whoever does gain access will just use your username and password to log in to other sites, apps, etc. The threat that API security breaches pose to enterprises should not be taken lightly. A breach should always trigger a comprehensive crisis communication plan involving the board, C-suite, and other stakeholders. This communication plan should specify how governing bodies will stay informed should there be a data breach as well as... As you can see, handling API security is a tedious operation, none the less expensive, even for enterprises.
But big budget enterprises can mitigate similar breaches, while SMBs can barely spare a budget for them, thus making them an easy target for similar attacks.

For the most part, SMBs believe that they're small targets and are unlikely to be attacked, but that's really not true. We see high numbers of attacks against SMBs. Hackers aren't looking for buckets of cash. For the most part, those are usually reserved for big companies, and those are generally driven by state-funded actors, but SMBs are actually working with common criminals. In some cases, they'll start with a specific target in mind and work their way up to attempting to breach that specific target, but in other cases, it's very opportunistic. It's really about finding the easiest target to penetrate or a low-hanging fruit.

However, in recent years, we can see that SMBs are increasingly using cloud-based services to manage many areas of their information technology. These services used to be enterprise-only solutions. At the same time, the same goes for cyber-security, where SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and penetration testers which help organizations identify and resolve security vulnerabilities. used to be solutions aimed at those businesses. However, solutions such as BLST (Business Logic Security Testing) that provide automatic penetration testing at a budget price are increasingly used, with it APIs can be continuously scanned and security vulnerabilities can be accurately identified and located, allowing development and security testing to detect and remediate vulnerabilities more quickly.
In conclusion SMBs are at a disadvantage when it comes to API security because they often don't have the same level of security resources as larger enterprise size businesses. Hackers know this and often target SMBs because they're an easy target. However, nowadays, solutions that were commonly used by enterprises are more commonly used by SMBs, and the price is reasonable.

Join the discussion in our Discord channel https://discord.gg/TnabSMyC.

Top comments (0)