Securing all your APIs is difficult. It’s even more complicated when your keys and tokens are exposed involuntarily in real-world settings, from APIs to frontends. Your organization is now prone to data breach risks and severe financial implications.

E Com Security Solutions study reveals that API secret sprawl extends across various websites, industries, and domain types. Even modern tech industries are not exempt. This highlights the real and present dangers for each organization and the necessity of thoroughly testing applications before and after deployment. Moreover, we have identified emerging trends, such as the security demands of AI-driven projects and the risks associated with consolidating code into single JavaScript files. These findings suggest that the threat of API secret sprawl may escalate alongside the growth and complexity of new technologies. Organizations must respond fast, adopting best practices for risk mitigation and integrating continuous, automated testing of their applications. In addition, the organization’s security posture must ensure compliance with standards like HIPAA, GDPR, and PCI DSS.

Recommendations for mitigating risks

This extensive exposure of API secrets underscores a critical security issue. Immediate, strategic actions are necessary. Businesses must acknowledge the gravity of secret sprawl and implement rigorous measures to counter it. Here are the essential steps to mitigate these risks:

  1. Centralize Token Management: Centralizing token management enables secure storage, access, and rotation. Consolidating all tokens in one location allows you to monitor their usage comprehensively and identify potential vulnerabilities in your system.
  2. Rotate Tokens Regularly: Regularly rotating tokens mitigate the risk of compromise. For instance, AWS Secrets Manager supports the automated rotation of secrets.
  3. Assign Tokens to Specific Teams or Services: Only necessary personnel or services can access each token by assigning them to specific teams or services.
  4. Create a Revocation Process: Establish a transparent revocation process to revoke tokens in case of a compromise promptly.
  5. Grant Correct Permissions: Grant only the necessary permissions for each token to minimize potential damage.
  6. Limit Token Scope: Restrict the access scope of each token within your system.
  7. Monitor Usage Patterns: Keep a vigilant eye on how tokens are used to identify any unusual activity.
  8. Educate Your Internal Teams: Ensure all team members understand the importance of token security and adhere to best practices. These measures protect your API tokens and maintain secure and compliant systems.
  9. Employing automated solutions for Continuous Attack Surface Testing (CAST): Leveraging automated tools for continuous attack surface testing is crucial for maintaining system security. These tools constantly check for security risks, including issues in APIs, websites, and other online components. CAST operates independently, identifying hidden mistakes or leaks that may go unnoticed by system administrators. When a problem is detected, CAST facilitates quick resolution, instilling trust and ensuring smooth and secure operations. Without continuous attack surface testing, monitoring the entire system is challenging, making it susceptible to unnoticed vulnerabilities. CAST intelligently identifies safe and potentially problematic areas, eliminating weak spots and enhancing overall system security.

E Com Security Solutions’ Application Security offering helps organisations with cyber capabilities and solutions focused on the security and resilience of enterprise applications. This includes embedding security, controls and resilience as a part of the system development lifecycle from requirements to ongoing maintenance. The scope of applications includes large enterprise software packages, customized enterprise applications, and consumer-facing applications. We assist clients with governance, culture and skills to embed security into development processes, including agile or waterfall, and provide methods and tools to build and test application security (threat modelling, design review, application controls, pen testing, SAST, DAST, etc.), and the integration of toolchains for software developers.