Application programming interfaces (APIs) are growing in prominence. As APIs increase beyond the range of manual control, organizations may face greater security challenges.
Here, we talk to Karl Mattson, Director, Security Technology Strategy at Akamai.
Security magazine: Tell us about your title and background.
Mattson: With over 25 years of experience in cybersecurity and technology leadership roles, I have had the privilege of leading teams across financial services, retail, and federal government sectors.
In July 2021, I joined Noname Security as CISO, where I helped establish a rigorous standard for operational and API security excellence and advocated for ongoing platform advancements based on our customers’ needs.
Today, I am the Director of Security Technology Strategy at Akamai (NASDAQ: AKAM), the cloud company that powers and protects life online, following Akamai's acquisition of Noname Security in June 2024. In my current role, I am responsible for leading Akamai strategy for its security portfolio, including new partnerships, products and alliances so that Akamai is continuously delivering innovation to our global customers.
Before joining Noname Security, I was the CISO at PennyMac Loan Services and City National Bank. Additionally, I served as Senior Vice President of IT Risk Management at PNC.
Security magazine: What are the greatest threats against APIs, and why is there a growing prevalence of API security threats and risks?
Mattson: APIs are everywhere. Any business with a mobile app or modern web apps (SPAs), using the cloud, undergoing digital transformation, integrating with business partners, running microservices, or using Kubernetes all use and operate with APIs.
When it comes to protecting APIs, the primary focus is on safeguarding the data transmitted through APIs. Recent cyber attack trends point to two primary threat drivers.
First, there's data theft, which can be misused and resold for various criminal purposes. This type of data theft can lead to significant financial and reputational damage for organizations. The second threat is ransom, where data stolen via an API is held for ransom with the threat of public exposure to sabotage, leak, or abuse your company’s data or image for financial gain.
As large language models (LLMs) become more prevalent, their reliance on APIs for embedding and integration with applications will grow. With systems becoming increasingly interconnected, securing the pipelines and APIs that connect software is crucial. The rise in API attacks means organizations using generative AI technologies face similar risks. To sustain trust, the industry must focus on implementing secure APIs and ensuring strong security practices for third-party transactions.
Security magazine: How have today’s modern enterprises come to rely on APIs?
Mattson: APIs serve as a universal connector for nearly all aspects of our digital life — web and mobile applications, B2B commerce, and our public cloud infrastructure behind the scenes. In every industry vertical, API-first digital strategies unlock new digital experiences for customers and employees, business revenue streams, and resource efficiencies.
Modern enterprises rely on APIs to meet shifting software user demands for more digital experience functionalities. For example, mobile app users want comprehensive information, such as checking the value of their home through their bank app or viewing their credit score along with their credit card details. As long as consumers seek enhanced digital experiences, APIs will remain the most efficient way to deliver these improvements.
Security magazine: How can organizations proactively protect against the increasing API attack surface?
Mattson: To proactively protect against the increasing API attack surface, organizations need to implement a comprehensive security strategy that considers and includes the following:
- Understanding the business logic and application workflows thoroughly
- Conducting thorough threat modeling to identify potential misuse cases
- Implementing robust API security measures and maintaining visibility of all APIs, including shadow APIs
- Employing advanced security solutions that can detect and prevent business logic abuse using behavioral analytics and AI
APIs are increasingly becoming both the front and back doors for attackers to breach a system, using API vulnerabilities to gain access and API traffic to exfiltrate data. To combat this abuse, organizations need to adopt a holistic security approach that continuously monitors APIs and learns and adapts to evolving API behaviors.
Security magazine: Anything else you would like to add?
Mattson: Today, the API security market is maturing quickly. If the past discussion was about the need for API security, today, the discussion is all about the how as the need is already well established. Data shows that web attacks against applications and APIs surged by 49% between Q1 2023 and Q1 2024, as more than 108 billion API attacks were recorded from January 2023 through June 2024.
Software code has come under attack in innovative and deeply troubling ways as APIs have become the critical pipeline in modern organizations. Because of this, we can expect to continue to see API hacking as a major threat vector. These attacks have altered the security landscape for both developers and their organizations, not to mention their suppliers, partners, and customers.