Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialApplication programming interfaces (APIs) have become indispensable to the modern enterprise. They're the glue that allows organizations to connect their partners and customers — and the go-to tool that empowers developers to produce innovative applications quickly and efficiently.
However, APIs have also provided threat actors with a new attack surface, and that has significant consequences for managing software supply chain risk. The latest API security report, The API Security Disconnect 2023, released by Noname Security in September, found that API attacks were escalating, with nearly eight in 10 organizations (78%) having experienced a security incident in the last 12 months. More than half of incidents (51%) resulted in the loss of customer goodwill and accounts.
APIs are an essential component of the software supply chain, which means that securing APIs is critical in hardening software supply chains from attack, said Joey Stanford, head of global security and privacy at Platform.sh.
Joey StanfordAPIs are becoming more important and influential in supply chain security, as they enable data sharing, integration, and automation across different systems, partners, and processes. However, APIs also introduce new challenges and risks, such as unauthorized access, injection attacks, impersonation attacks, or dependency vulnerabilities.
Here are a five reasons why API security is critical to a mature software supply chain security approach — and key advances needed to move API security forward.
Get Up to Speed Fast: The 2025 Software Supply Chain Security Report
When you develop an API, you typically rely on various third-party packages and libraries. These packages are distributed via package managers and depend on APIs for version control, updates, and distribution. That means a single vulnerability in any of these components can compromise supply chain security, said Scott Gerlach, co-founder and CSO of StackHawk.
Scott GerlachIn short, you can't build an API without the supply chain, and you can't use supply chain packages without an API. That's why it's important for organizations to continuously monitor the third-party packages they rely on to build APIs, keep them up to date, and rigorously test them for vulnerabilities like the OWASP Top 10.
Data transmitted through an API, if not properly secured with techniques such as cryptography, can be stolen, modified, or removed to interrupt services downstream, said Michael J. Mehlberg, CEO of Dark Sky Technology.
Michael J. MehlbergAPI data can contain sensitive information such as credit card numbers, personally identifiable information, or even proprietary information and code. If this information’s integrity or confidentiality cannot be guaranteed, services downstream in the software supply chain can be disrupted.
Applications and software are not self-contained entities. APIs allow access to functionality and data that otherwise would not be available to development teams, said Matt Rose, field CISO for ReversingLabs.
Matt RoseThe problem is that you must trust the APIs that you are leveraging but not maintaining, so the software supply chain risk landscape is much larger than just a single self-contained application. Even if your application is free of supply chain risk, the application you are connecting to via API may be compromised with malware.
Unauthorized access to an API can be used to compromise a supply chain by allowing an attacker to execute commands, manipulate data, or steal information from the API provider or consumer, Platform.sh's Stanford said. For example, unauthorized access to an API can be used to exfiltrate sensitive data from cloud services such as credentials, tokens, keys, configuration files, or personal information.
Joey StanfordThat's how the Accellion FTA supply chain attack was carried out. The attackers used unauthorized access to the Accellion FTA API to download confidential files from the cloud storage.
Unauthorized access can also be used to bypass security controls and policies via an API that enforces security controls and policies. That's how a vulnerability in the SolarWinds Serv-U FTP server was exploited, Stanford said: "The attackers used unauthorized access to the Serv-U API to execute commands on the server."
Dark Sky's Mehlberg stressed the downstream effect on the supply chain.
Michael J. MehlbergIf the API is used to transmit code that will be run downstream on other platforms or systems in the supply chain, an unauthorized user could compromise downstream systems and software with malicious code.
An attacker could leverage one or more vulnerabilities to gain unauthorized access to an API, allowing the integrity or confidentiality of the data received and transmitted through the API to be compromised, Mehlberg said.
Michael J. MehlbergA vulnerability may give the attacker access to the API, as an authorized user or software application would have access. It would allow them to masquerade as a valid endpoint and bypass normal security checks or leverage trust in the API to perform malicious actions.
However, managing and being aware of increasing numbers of APIs is a daunting task, said Robert Hurlbut, principal application security architect at Aquia.
Robert HurlbutThe more APIs an organization is not aware they are hosting, the more likely supply chain vulnerabilities will occur through APIs that are unpatched because they're unknown.
ReversingLabs' Rose said rogue APIs are a direct threat to software supply chains.
Matt RoseIf you don't take into account the risks of unknown APIs you are wide open to potential attacks.
The problem can be aggravated in mobile apps, said Krishna Vishnubhotla, vice president of product strategy at Zimperium. "Due to the attack surface that the mobile app client exposes, securing APIs is insufficient."
Krishna VishnubhotlaAPI security solutions primarily target the pipe that transmits data but overlook vulnerabilities inside mobile applications. Mobile apps are vulnerable to reverse engineering, which allows threat actors to see APIs and exfiltrate API keys. Due to the fact that a mobile device can easily spoof an identity, API security measures can be easily bypassed.
The latest version of OpenAPI, the spec for building APIs, gives developers some security guidance. Platform.sh's Stanford said security is an important aspect of API design and implementation, "and the OpenAPI specification provides several options and features to describe and enforce security for HTTP APIs."
Joey StanfordHowever, the security provisions in the OpenAPI specification are not exhaustive or prescriptive, and they depend on the choices and implementations of the API developers and consumers. The OpenAPI specification is a useful tool for documenting and communicating API security, but it is not a substitute for proper security design and testing.
Stanford said he foresees several ways API security needs advances to keep up with the growing risk of supply chain attacks:
As APIs become more essential for connecting modern software systems and enabling innovation, they are also highlighting a weak link in your organization's supply chain security that needs to be singled out and secured.
Matt RoseIf you are just looking for risk in the supply chain for the applications you are either consuming or creating, you are not taking into account the risks that APIs introduce.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial