Unprotected APIs: How software development teams can support data privacy compliance

The term API, or application programming interface, is a method where systems and applications communicate with each other by sending predetermined parameters in a request and receiving responses in a predetermined format. APIs can serve as integration layers and be used by different systems and solution providers to exchange information between them allowing companies to share and receive their data to external third-party developers, business partners and internal departments.

This article is relevant for Software Engineers, Developers, Agilists, Project Managers, Security and IT managers.

While APIs can foster innovation and simplify development processes, flaws in the design of the infrastructure and the software itself can lead to an inadvertent data leak or make unnecessary information available to third parties which are not required to a given process, harming the data minimization concepts.

Much has been publicized in recent days about the importance of API security for ensuring data privacy and information security. As more companies implement APIs, flaws in design can lead to increased data leaks and misuse of information. Recent studies from Traceable and the Ponemon Institute revealed that within the last two years, 60% of organizations surveyed in the U.S. and Europe reported at least one breach. The most concerning issue is that it seems that default market solutions — like web application firewalls or API gateways — don’t seem to handle all kinds of attacks and should not be relied on blindly by technology teams as a single effective security measure.

The State of API Security Report Q1 2023 from SALT Security goes even further, indicating a 400% increase in attacks among its clients where 31% experienced a sensitive data exposure and 17% suffered a data breach resulting from API security gaps.

How can tech teams improve data privacy and security postures?

First, create visibility. Establish a governance model focused on APIs, similar to governance models for IT, data management, lineage and processes. API governance will help a company understand its API ecosystem and ensure that each is tracked, updated and running through a proper business justification.

An organization can “bridge” parts of API governance to record of processing activities documentation. The APIs should be mapped and actively maintained. The governance program must give an understanding of what data is coming in and out, a business justification for its existence and who or which systems are actively using it. Outdated APIs or those no longer in use, should be discontinued as soon as possible.

Second, tech teams should incorporate API security techniques as part of their development processes. Simple industry-recognized guidelines such as the OWASP Top 10 API Security Risks – 2023 are a great starting point and help developers avoid reinventing the wheel when assessing their software assets. Learning from the lessons of others is a great method to help prevent similar issues. In parallel, developers must be thoughtful on authentication and encryption, ensuring that only the appropriate users have access to the APIs, don’t expose more data than necessary, and all traffic is properly encrypted end-to-end. The SALT Security report also found that 78% of the attacks come from authenticated users. This is why it is important to consider access controls, API responses, and error handling, even for internal APIs.

Tech teams must act as true consultants to the business and not perform their duties just as doers. Tech team members have the expertise to recommend the proper tools, technical needs, postures, approaches, etc., to safeguard the business. It is the responsibility of tech professionals to develop solutions that meet both business and technical needs (architecture, design, quality, performance, security and data privacy).

How can DPOs help development teams build and maintain secure software solutions?

A data protection officer, even a non-IT one, can play a fundamental role in software development processes. DPOs work closely with tech and development teams to foster the identification of the relevant best practices in their sector and support the incorporation of those practices along with continuous improvement into the development processes.

In cooperation with tech teams, a DPO can also help identify, summarize and prioritize relevant risks of IT security and privacy, which helps organizations to define roadmaps to remediate (or mitigate) issues and improve postures. They can make the push for tech teams to start using tools to monitor and assess potential vulnerabilities so organizations can respond to threats in a faster and more organized way throughout the entire software development life cycle — even before the threat materializes.

The closeness between tech/development teams and the DPO is also paramount for organizations that adopt agile frameworks. As organizations deliver new functionalities and enhancements in a faster, cadenced timeframe, the reviews of those implementations must be done in an equivalent setting. DPOs must work with project and product teams to incorporate data privacy and security on each requirement and review the outcomes frequently.

Finally, but not less important, DPOs must work with tech teams to share knowledge and organize specific data privacy training to disseminate the concepts of the applicable privacy laws and regulations and the individual’s responsibilities to ensure an organization acts according to its principles.

While executing, DPOs can add value to their organizations by taking a proactive role in safeguarding a company’s businesses; failing to do so can generate severe financial impacts to organizations. According to a study run by the Marsh McLennan Cyber Risk Analytics Center and Imperva published mid-2022, the losses caused by API insecurity can result in USD41-75 billion annually.

By acting proactively, DPOs are helping companies to allocate their funds wisely and to create better products for clients, enterprises and, at the end of the day, the society.