API implementation flaws in an enterprise can lead to posture problems. Most common among them include shadow endpoints, unauthenticated resource access, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and excessive client errors.

Runtime problems, on the other hand, are active threats demanding immediate action. These include unauthenticated resource access attempts, API activity with unusual JSON payloads, path parameter fuzzing attempts, illogical API timestamps, geolocation, or sequence, and data scraping. 

Recommendations for threat mitigation

Adopting a comprehensive API security program provides organizations with unparalleled visibility across their digital ecosystem. This includes discovering all APIs within the organization, auditing their risk levels, detecting abnormal behaviors indicative of abuse, and enabling expert-led investigations to hunt for hidden threats.

Such a layered approach is crucial for identifying vulnerabilities and safeguarding against potential breaches, ensuring a robust defense in the face of evolving cyberthreats.

“This includes putting all APIs behind security controls and having automated responses to mitigate attacks or to alert the security operations team,” the report said. “Next, practicing shift-left testing during development can address these vulnerabilities and weaknesses at the onset, before attackers can exploit them. Finally, you need to run exercises to validate both preventive measures and crisis response.”

Akamai has also advised adherence to select regulations to enhance API security. While specific laws governing APIs may be limited, certain frameworks are worth considering. These include the General Data Protection Regulation (GDPR), the newly updated Payment Card Industry Data Security Standard (PCI DSS) version 4.0, and the guidelines established by the American National Standards Institute (ANSI).