Business And Security

Integration Flaws in APIs Often Result in Security Breaches

Integration Flaws in APIs Often Result in Security Breaches

Many companies regard API security issues as events that only happen to large businesses (250+ employees) like T-Mobile, and McDonalds. It’s true: cyberattacks are most frequently targeted toward companies that possess expansive quantities of data that can be stolen by using the least amount of effort.

Even though corporations of that size manage to glide through these situations without experiencing a large loss from their customer base, it is disruptive and possibly dangerous.  When small-to-medium companies are attacked they have even more to lose. With data ransom, financial theft and a myriad of new attacks on the loose, it is no longer safe to assume security is tight. 

The downtime required to reverse the damage should be enough to make CIOs, CISOs, CSOs and other members of the security team take action. There is an inordinate amount of downtime required to:

  • Find the API flaws and security breakdowns
  • Secure the data with (encryption, tokenization,de-identification)
  • Centralize control of data users
  • Contact customers who may be affected
  • Strengthen the weak links (automated and human)

By the time these measures are taken, sales momentum is lost and customers may lose confidence and interest in the brand, which brings in another layer of turmoil.

According to the Canadian Survey of Cyber Security and Cybercrime, companies worldwide have seen a 57.5 percent increase in cyberattacks during the holiday season in 2017 which is more than double the amount in 2016. According to Statistics Canada, more than one in five Canadian companies experienced a cyberattack in 2018.

A StatCan spokesperson reminds us, “Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats. However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported.”

API Flaws are Attractive to Cybercriminals

APIs provide the digital integration between apps, cloud resources, data, and application services, which provides a high level of motivation for cyberhackers.

Think about it… APIs provide access to customers’ data and often their entire digital environment. Additionally, many APIs have gaping flaws that are not easily detected without proper testing and periodic retesting. API flaws provide easy opportunities for security theft therefore it is crucial to verify iron-clad integration of the various components. In 2018 alone, there have been an increased number of high-profile data breaches and exposures due to poor API security. Salesforce, Instagram, and Venmo were all victims of API insecurity, to name a few.

Since APIs are provided to developers and public users in an effort to increase software usage, there are tremendous opportunities for cybercriminals. According to a study by Imperva, the average company manages an average of 363 APIs due to the increased use of micro-services.

Testing APIs – Now Critical to Security Maintenance

API testing can be accomplished during development; however when APIs are added, changed or updated repeat API testing is recommended. In the past UI testing seemed to be enough, yet API testing is much faster and more efficient than waiting for users to discover bugs over a longer period of time. API testing allows communication between integrated software systems and can discover vulnerabilities that can be fixed and marked as cyber safe.

In the case of the year-long API flaw the United States Postal Service experienced (November 2018), mass confidential customer information was prominently available to be accessed without special authority. That means just about anyone could access over 60 million corporate users’ email addresses, street addresses, phone numbers, et al. This defect could have been responsible for an epic incidence of phishing, social-deception and fraud in multiple directions. At this time, the USPS claims the vulnerability has not been leveraged. Yet after nearly a year of exposure, it may be only a matter of time before the ramifications surface.

Other prominent examples include Air Canada, the Bank of Montreal, the Canadian Imperial Bank of Commerce, and Equifax. API testing would have prevented each and every incidence.

Mark Your APIs as Safe

According to all sources, API cyber abuses will be the most prominent cause of data breaches by 2022. Even though internet security has become one of the most important aspects of retail and E-commerce companies, API integration is often overlooked. In order to overcome these odds systems must be tested to allow chinks in the armor to be corrected. As technology advances, testing must remain a priority for all companies that want to maintain the highest standards in cybersecurity. Gain confidence in your API integrations by staying ahead of the looming threats that could temporarily (or permanently) cripple your business.

Our highly trained and experienced Orenda Security team specializes in application assessment and API testing, among all types of internet security. We can test your software to determine if it meets expectations for functionality, reliability, performance, and security. Gain peace of mind by preventing situations that can negatively affect your growing business. 

Contact us today at info@orendasecurity.com for a complimentary consultation and quote.


Business And Security

Securing API's for Business Applications

by Orenda Team


''Orenda has been a reliable partner for AMA and has helped us in our journey to develop and deliver secure applications to all of our AMA members. I recommend Orenda Security to other AAA and CAA clubs on the basis of a strong working relationship with AMA and an excellent track record of delivering technical expertise and high-quality assessments.”


Collin Moody
Chief Information Officer
Alberta Motor Association

Finding a reliable partner with a high degree of technical expertise is hard to find! Orenda Security was exactly what we were looking for. They help us improve the security posture of our product and application. I recommend Orenda Security to any security leader seeking reliable and robust security penetration testing services.

Kartik Agarwal
Chief Technology Officer
Concert Cloud Inc

<<<<<<< HEAD ======= <<<<<<< HEAD >>>>>>> 47541dc6525eb565834d0342a5c067d962b43950 ======= >>>>>>> 90df7e1e9b9cde02ad0dc387157d840c82b76c26