They Fought the Law (And The Law Won) - API Security, Regulatory Compliance, And Avoiding Massive Fines

API Security - Cost or Benefit

One of the big struggles for any API security advocate has been the reality of API security often being seen as a “cost.” When looking at an API product from the top-down, it’s easy to look at security as a blocker and an expense – security postures get in the way of flashy development, of new iteration, and more often than not, the security-minded is the person in the room saying “no” to the “cool” idea.

This has been a long-term struggle – and this is doubly so in the user and data-heavy world of modern web applications and the APIs that drive them. When those at the top look at their long-term plans, security tends to be seen as a hurdle that must be overcome, and when tightness occurs due to budget, market conditions, or time restrictions, security often falls victim to reduced bandwidth, increased scope, etc.

Huge Issues from Micro Views

This is a big issue for two main reasons. First and foremost, security considerations in this view consider security posture as an “after the fact” development – something that is done to keep the “real product” safe. The reality is that security should be baked into the design of the initial offering – treating the issues as an external problem is what gets products in trouble. When you don’t develop with security in mind, you are that much more vulnerable to pitfalls. 

The second huge issue here is that cost is rarely balanced in the perspective of short-term vs. long-term.

The reality is that failing to invest in a proven API security posture might save you dollars in the short-term, but can cost millions in the long-term.

While the balance sheet might show a small savings by trying to do everything in-house or even adopting a “minimum viable posture” approach, the long-term ramifications of poor security could threaten the very survival of your business.

Fighting Perspectives

This is all a matter of perspective – and changing that perspective requires some background. The reality is that this point of view is short-sighted and incredibly dangerous – in fact, a strong argument could be made that the consideration of security solely as a “cost center” is one of the greatest shortcomings of many organizations.

Let’s look at the facts:

• By and large, APIs are getting breached more than ever. According to one report, 74% of API organizations report at least 3 API-related data breaches in the past 2 years Sound bad? It gets worse. 40% reported five or more data breaches, and 11% reported over seven. The fact is that attacks are happening – and they’re not going away.
• These attacks are varied, with many targeting shadow vulnerabilities and APIs. According to one report, a test using machine-learning based API discovery detected 30.7% more API endpoints than were documented or self-reported by providers. That means almost ⅓ of all endpoints were not inventoried, detected, or secured – and this is not an uncommon result.
• Many of the most persistent vulnerabilities in APIs are easy to fix – they just aren’t detected because they aren’t prioritized. According to one report, 40% of surveyed organizations reported that their builds were often deployed to production with active vulnerabilities, security issues, misconfigurations, exposed endpoints, and more. Worryingly, these issues aren’t difficult to fix – they just aren’t prioritized when security is presented simply as a “cost."

Regulatory Compliance - A Brief History for APIs

The cost of poor API security doesn’t just present itself in direct exposure – there are significant regulatory costs that can be existential in nature. Because of how ubiquitous APIs are across so many industries, the space often has complex regulatory environments – additionally, data privacy-specific regulations have sharply increased due to a lack of self-policing by orgs in the early 2000s.

Accordingly, APIs are now surrounded by a litany of protective systems. In Europe, the GDPR, or General Data Protection Regulation, was developed to ensure that European citizens could trust services to protect their data – and when this protection failed, massive fines and legal implications would ensure that future organizations would take the protection of data more seriously.

In part inspired by the GDPR, the United States would see regional policies such as the CCPA, or California Consumer Privacy Act, come into force. While US policies like the CCPA were not as strong as the GDPR, they still offered copious avenues of punitive regulatory fees and measures to ensure that organizations had a financial incentive to secure the data of their users.

With so many systems in play, there has never been more scrutiny on businesses to do the right thing.

How impactful are these policies? Let’s take a look at some examples.

Regulatory Fines in Practice

Meta

In 2022, the Ireland Data Protection Commission issued a historic fine to Meta to the tune of €17 million Euro. The fine resulted from a series of data breaches through several Meta platforms and APIs which allowed attackers to scrape data, steal user tokens, and access information on user profiles without alerting the users to the exfiltration. Additional fines have since been levied, with the largest adding up to €265 Million Euro following data collection practices exposed during these and other parallel investigations.

Google

In 2023, California Attorney General Rob Bonta announced a $93 Million USD settlement with Google concerning their violations of CCPA and other privacy regulations concerning the way Google collected, stored, and used location data. As part of the settlement, in addition to the hefty fine, Google agreed to terms that prohibit it from engaging in the same conduct in the future, removing the possibility of using these systems – with informed consent from users – as a revenue source.

Bottom Line

The simple conclusion is this – failing to adequately invest in a proper security posture is not just a bad idea. It’s a potentially existentially damaging one. A poor security posture can result in fines from regulations, loss of trust from users, and much more. With such a huge potential regulatory and reputational cost hanging over organization’s heads, finding the right partner to trust and execute effectively is not a cost-driver – it is actually the best investment you can make.

FireTail is a proven solution that can help you reach a solid security posture quickly, affordably, and effectively. FireTail has several key features that can help you prevent data breaches and secure your systems, including:

• API Alerting & Monitoring – Stay ahead of threats with powerful alert systems. Use custom parameters to reduce alert fatigue while ensuring you have a top-down view of your entire ecosystem.
• API Security Posture Management – Use FireTail’s world-class dashboard to gain a comprehensive view of your API security posture and accelerate your approach to mitigate vulnerabilities quickly.
• API Audit Trail – FireTail’s comprehensive logging system allows you to create a single cloud-based audit trail for testing, breach detection, and incident response formation.
• API Inventory Management – Use powerful inventory features to discover, track, and manage APIs. No more shadow APIs, and no more hidden vulnerabilities!
• Seamless API Visibility with FireTail's Agentless Integration – Adopt seamless integration across vendors, solutions, and implementations, including support for logging behind AWS’s native API Gateway.
• Effortless Deployment and Enhanced API Security – Leverage FireTail’s platform, utilizing open-source, common standards and frameworks to deliver better modern applications at scale.

Investing in API security is an investment that will pay massive dividends. Choosing the right partner is key to this process. If you’d like to see how FireTail can solve your security woes, set up a free demo today!