Demand for application programming interfaces (APIs) keeps increasing as they define companies' interaction with digital systems, applications, and services.
However, with the significant role of APIs in enterprise success comes urgent security risks that organisations need to address immediately.
"As digital transformation accelerates, APIs are becoming a critical component of business operations, leading to increased exposure to security risks. The rapid adoption of AI applications is only compounding these issues, as AI apps are heavily dependent on APIs," said Mohan Veloo, CTO for APCJ at F5.
According to Palo Alto Networks, “because APIs work as the backend framework for systems and services, it's critical to secure APIs to protect the sensitive data they transfer — including access information, such as authentication, authorisation, input validation, and encryption."
In an exchange with FutureCIO, Veloo explained the ins and outs of API security in the Asia Pacific region and the AI/ Machine Learning (AI/ML)- based approach to tackling it.
API security in APAC
Veloo said that even though API Security in APAC is rapidly evolving and gaining significant momentum, it remains complex and changing along with the acceleration of digital transformation, necessitating specialised solutions.
"APAC does have unique challenges compared to the rest of the world. The diverse technology landscape and maturity, varying levels of regulatory enforcement, and emerging security approaches create a distinct API security environment that requires tailored approaches vs. a one-size fits," the F5 executive said.
F5's latest API Security in APAC report revealed two unique challenges to API security in APAC: Authentication and Server-Side Request Forgery (SSRF). Veloo explained that the widespread adoption of REST and RPC technologies and the high use of internal APIs cause these challenges.
"Broken authentication occurs when there are weaknesses in implementing authentication mechanisms that allow attackers to gain unauthorised access to systems, data, or functions. This critical security flaw compromises the system's integrity, exposing sensitive data and allowing malicious actions," he said.
Veloo also explained that SSRF "occurs when an attacker tricks a server into making unauthorised requests to internal or external systems on their behalf. This can lead to data exposure, unauthorised access to internal services, or even remote code execution."
He said SSRF has become more common to organizations in APAC due to their high adoption rate (61%) of internal APIs, which offers broader access to internal systems and resources.
Priorities in the API security lifecycle
The same report revealed that the API security lifecycle for APAC organisations revolves around security testing, access control, and runtime protection.
"Security testing is essential for identifying and mitigating vulnerabilities in APIs before they can be exploited," Veloo explained.
He explained that it includes regular security testing throughout the development lifecycle and simulating real-world attack scenarios. Security testing strategies include automated security scans during the build process, code reviews, and penetration testing to simulate real-world attack scenarios.
On the other hand, proper access control involves implementing robust authentication mechanisms, enforcing role-based access controls, and using multifactor authentication to ensure that only authorised users and systems can access API endpoints.
"Additionally, ensuring that API keys and tokens are managed securely, with strict policies for expiration and rotation, are equally important," Veloo added.
"Runtime protection involves continuous monitoring of APIs to detect and block real-time threats, such as unauthorised access and data breaches," he continued.
Veloo said that APAC organisations focus on protecting data against leakage and tampering, and deploying advanced threat detection strategies, including ML-based traffic monitoring and automated policy generation.
AI/ML-based security approaches
"There's also a growing intersection between AI and APIs. AI-led automation opportunities—including auto-discovery, AI-enabled design, and even self-governing APIs—are set to streamline workflows in the development lifecycle," posits Jeremy Sindall, CEO and founder of digitalML, in his article for Forbes.
Veloo said APAC organisations could use AI and ML for real-time threat detection via anomaly detection and behavioral analysis.
"AI / ML algorithms can be trained on historical API usage data to recognise normal behaviour patterns. These models can then monitor real-time API traffic to detect anomalies that may indicate security threats, such as unusual access patterns, spikes in traffic, or unexpected data payloads”, he said.
He added that organisations can quickly detect and respond to potential API misuse or attacks by identifying deviations from normal behaviour.
Moreover, Veloo posits that AI-driven behavioral analytics systems can enhance API security by monitoring and analysing user behavior.
Speeding up adoption
In a race against time and more sophisticated attack strategies, Veloo posits that working with the right partner is the fastest way for APAC organisations to speed up their adoption of AI/ML technologies for API security, providing them with appropriate tools, technologies, and expertise.
"Organisations should opt for partners with in-depth expertise in API security across the full API lifecycle and can offer comprehensive solutions that leverage AI/ML technologies for greater efficiency and efficacy – such as security platforms that provide AI-powered advanced threat detection and automated API discovery.
Empowering IT/security teams
Veloo underscored the importance of upskilling IT and security teams so that they can effectively use various AI/ML tools to secure APIs.
"Organisations can look to provide targeted training in relevant courses such as data science, AI/ML algorithms, and their applications in cybersecurity. Implementing small pilot projects focusing on specific API security challenges, such as anomaly detection or behavioral analytics to demonstrate the effectiveness of AI/ML solutions can build confidence and justify broader adoption across the organisation," he said.
Though the skills required are different, Veloo recommends organisations focus on critical areas such as building a solid understanding of AI/ML concepts, models, and tools; developing Data Science skills, and deepening Cybersecurity expertise.
Aside from those skills, he said it is also vital to know the deployment and integration of AI/ML models into existing security infrastructures, as well as continuous monitoring and model maintenance."
"IT teams need to foster collaboration across other teams in the organisations to maintain a strong understanding of ethical AI use and regulatory compliance," he said.
