The nature of API traffic creates a large potential attack surface that needs to be understood and prioritized, analyst Mark O'Neill said during Gartner's Application Innovation and Business Solutions Summit.
API attacks result in data breaches because APIs are designed to open up access to data that's otherwise unavailable. That data is secured with an API key, he explained.
"Discovering API keys and then using those to access APIs is one attack factor," O'Neill said. If threat actors get ahold of those keys, they can call an organization's APIs as if they are that organization.
"Of course that is not something you want to happen because they're driving up costs for you. But also, it's not something that the API provider wants to happen," he said.
According to Gartner, storing API keys or other API credentials in insecure ways, like in applications, cloud services, or on a hard drive, is the main reason for this type of breach.
Another way attackers breach APIs is by looking at an organization's applications and seeing how API keys are being stored.
If a mobile app is accessing bank information, for example, that usually means credentials are stored either in the app or somewhere the app can access. The same is true for IoT devices and vehicles, O'Neill explained.
That means threat actors "with access to the device itself can get those API keys, and then directly call the API," he said.
Web applications and single page applications present a particular challenge "because in those scenarios, you often have to store and protect the API key in the web application. And of course, that's running in the browser of the user."
The user could then look at API traffic use using tools like Fiddler to discover API keys. "The client side is often a weak link for APIs," he added.
APIs can also be breached as a result of flaws in the API itself, specifically policy flaws. "If an attacker can get a copy of a successful API call with an API key in there, then if the security is not strong for that API, they may be able to simply replay that request."
However, because every API request is different, security teams can often detect a capture replay attack. But for less well-protected APIs, this is still a key attack vector, O'Neill said.