The digital landscape is constantly evolving, and with it, the threats to public sector and national critical infrastructure. Recent and well-documented attacks, like the U.S. Treasury Department breach late last year and the T-Mobile network operator hack disclosed in 2023, serve as stark reminders of the vulnerabilities at large.
And increasingly, these vulnerabilities are found within application programming interfaces, or APIs. In fact, Gartner recently predicted that APIs are becoming the leading attack vector for web applications, and my experience confirms this trend.
At this week’s AppWorld Public Sector Symposium, which starts tomorrow in Tysons Corner, Virginia, we’ll be discussing API protection—along with other emerging trends in application delivery and security. This event is a crucial opportunity to examine these challenges and explore effective solutions.
Revealing the shadow API threat
One of the biggest challenges I see, time and again, is a lack of visibility into network vulnerabilities. Many organizations simply don't know how many APIs they have in use. We’ve conducted API discovery exercises for clients who thought they had around 100 APIs, only to uncover closer to 30,000! This isn't unusual and poses a significant security risk.
APIs operate in complex ecosystems, hidden amongst a patchwork of architectures, components, types, and protocols. On average, organizations use over 20,000 APIs. By 2030, the total number of APIs in use across the public and private sector is expected to exceed 2 billion. Challenges in managing and securing these most commonly exist in a lack of documentation or a difficulty in discovery.
“The complexity of managing APIs across multiple clouds can easily overwhelm security teams that are unable to gain a comprehensive view of all APIs and their security status.”
This “shadow IT” phenomenon, where unknown or unmanaged APIs proliferate, creates a breeding ground for vulnerabilities. These APIs often lack proper security controls, making them easy targets for malicious actors. Think of it like leaving unlocked doors and windows in your house—it's an open invitation for those wanting to intrude.
Understanding API exploitation and attack vectors
APIs are increasingly being targeted by both nation-state actors and cybercriminal organizations. Government and defense-related APIs are just as vulnerable as public-facing ones. Arguably, they’re even more attractive as targets due to the sensitive data they handle.
APIs can be used as entry points for deeper attacks into networks. A compromised API can provide access to internal systems, databases, and other critical resources. It's like finding a secret passage into the heart of your organization. As we saw in the case of T-Mobile, the U.S.-based network operator, threat actors can exploit API vulnerabilities to gain unauthorized access to confidential data that has a value on the dark web. In this case, attackers stole the personal information of 37 million current customer accounts.
To make things even more complicated, an organization may not fully control all the APIs that make contact with their systems.
The U.S. Treasury Department attackers gained access through a vulnerability in a third-party software component—ironically, software that formed part of its cyber defense. These supply chain attacks can impact organizations of any size and status, with numerous examples such as the Solar Winds attack and Volt Typhoon group hitting the headlines.
Robust API security measures require no stone left unturned. Our 2024 State of Application Strategy Report: API Security reveals which APIs appear to face the most risk, which are commonly missed from protection, and how API security models and responsibilities may need to adapt to keep APIs safe in the AI era. Spoiler alert: zero trust security has a blind spot too, unless it also embraces APIs.
Can AI be your API security ally? Leveraging AI-powered defense
AI both exacerbates and assists with API security. Gartner estimates that AI adoption will drive more than 30% of the increased demand for APIs by 2026, due to the number of APIs that large language models need to collect and exchange data. Each API requires documentation and security, creating a host of opportunities for malicious intent.
Fortunately, organizations aren’t defenseless, and AI is emerging as a powerful defensive tool. AI and machine learning can analyze API traffic in real time, detecting anomalies and suspicious behavior that would be impossible for humans to identify manually.
AI can classify APIs, understand normal behavior patterns, and flag potential misuse or security vulnerabilities. It can also be used to generate security policies dynamically, adapting to evolving threats and ensuring that your APIs are always protected. It's like having a tireless, intelligent security guard constantly monitoring your API traffic.
Achieving consistent protection across environments
Today’s public sector organizations leverage hybrid and multicloud environments—with AWS, Azure, Google Cloud, and others—to achieve scalability and resilience, but it also adds to the API security headache. The inherent differences between cloud providers, with their own security tools and configurations, make a fragmented security posture. Relying solely on native cloud security leaves gaps that attackers eagerly exploit. It's like trying to defend a castle with different armies who don't coordinate.
The complexity of managing APIs across multiple clouds can easily overwhelm security teams that are unable to gain a comprehensive view of all APIs and their security status. Addressing this challenge calls for a unified approach, starting with a single, consistent set of security policies across all clouds, covering authentication, authorization, and more. Standardized security controls are also vital, ensuring a baseline level of protection everywhere.
Automated security testing integrated into the API development lifecycle also identifies vulnerabilities early. Real-time monitoring and threat detection provide visibility and enable rapid response to incidents, while a robust Identity and Access Management (IAM) system controls API access, and clear API governance policies ensure consistent security practices.
Securing APIs in a multicloud world demands a proactive, centralized, and standardized approach. By implementing these principles, modern public sector and critical infrastructure organizations can mitigate risks and ensure the ongoing security of their APIs. Ultimately, it's about building a strong, adaptable defense against evolving threats.
Want to learn more? Listen to the recent Federal Tech Podcast featuring my conversation with John Gilroy. Also, visit the F5 Public Sector Solutions webpage.
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.