Understanding API Security: Insights from GoDaddy’s FTC Settlement

APIs (application programming interfaces) have quickly become the backbone of modern digital ecosystems, enabling seamless integration and data exchange across various platforms and services. While they drive innovation and operational efficiency, they also introduce significant security and privacy risks by creating a vast and often poorly understood attack surface, exposing sensitive data and core business logic directly to potential threats.

The recent settlement between the Federal Trade Commission (FTC) and GoDaddy underscores the critical need for robust API security measures. This case illustrates API security is not merely a technical concern but a legal obligation.

GoDaddy’s API Security Failures

The FTC’s action against GoDaddy stemmed from the company’s inadequate security practices, which led to multiple data breaches from 2019 to 2022. These breaches exposed sensitive customer data, including usernames, passwords, and employee credentials. The FTC’s investigation highlighted several key API security deficiencies:

• Lack of Strong Authentication: GoDaddy did not implement multi-factor authentication (MFA) and encryption, leaving customer data vulnerable. Without MFA and robust checks against credential stuffing, attackers could easily exploit stolen or weak credentials to access user accounts. Even with authentication, attackers can abuse authenticated sessions if the underlying API authorization is flawed.
• Poor API Monitoring: The absence of rate-limiting, logging, and anomaly detection allowed unauthorized access to 1.2 million customer records. More critically, this lack of deep inspection meant an inability to baseline normal API behavior and detect subtle reconnaissance or the exploitation of unique business logic flaws – attacks that often bypass traditional signature-based tools. Effective monitoring could have identified unusual activity patterns and prevented these breaches. Furthermore, without comprehensive API discovery, GoDaddy likely had “shadow” or “zombie” APIs operating without oversight, representing unmanaged risk
• Inadequate Access Controls: The exposure of admin credentials and encryption keys enabled attackers to compromise websites. Strong access controls are essential to restrict access to sensitive information to authorized personnel only. This highlights the risk not just of credential theft, but of authorization flaws within APIs themselves (often referred to as BOLA/broken object level authorization), where authenticated users gain access to data they shouldn’t.

FTC-Mandated API Security Enhancements

As part of the settlement, the FTC required GoDaddy to implement a comprehensive security framework, including:

• Encrypted API Communications: The use of HTTPS and TLS encryption for data in transit ensures data remains secure during transmission. This is a foundational requirement for protecting data from eavesdropping.
• Enhanced Access Control: Implementing robust authentication methods, such as MFA and secure token-based authentication, protects session authenticity and prevents session hijacking. Beyond authentication, this must include granular authorization controls within the APIs to prevent authenticated users from accessing unauthorized data or functions (addressing BOLA).
• Rate Limiting: Implementing rate limiting controls the number of requests a user can make in a given time frame, preventing abuse and distributed denial-of-service (DDoS) attacks. While helpful against brute-force attempts, rate limiting alone is often insufficient against sophisticated low-and-slow attacks or abuse of business logic within a single session.
• Advanced Monitoring & Anomaly Detection: Continuous oversight of API traffic for unusual activities is crucial for timely threat identification. Adopting AI-powered runtime API protection is essential. This involves establishing a baseline of normal API behavior through continuous analysis and leveraging AI/ML to detect sophisticated attacks, including credential stuffing, data exfiltration attempts, and the exploitation of business logic flaws that manifest as subtle deviations from the norm. This goes beyond simple anomaly detection by providing deep context about user activity and data access.
• Comprehensive Audit Logs and Incident Response: Maintaining and analyzing API security logs is vital for detecting and responding to breaches. An effective incident response plan ensures prompt and efficient breach management. Effective incident response relies on rich, contextual logs which capture the full sequence of API interactions, enabling security teams to quickly understand the scope of a breach and pinpoint the exploited vulnerabilities – insights that dedicated API security platforms provide.

Legal and Business Implications

The GoDaddy settlement highlights the severe legal and business repercussions of inadequate API security. Companies that fail to secure their APIs may face:

• Regulatory Risks: Increased scrutiny and potential financial penalties from regulatory bodies like the FTC. Non-compliance with security regulations can result in hefty fines and legal actions.
• Reputation Damage: Loss of customer trust and long-term brand damage. Data breaches can severely impact a company’s reputation, leading to loss of business and customer loyalty.
• Operational Disruptions: Data theft, fraud, and service disruptions affecting business continuity and revenue. Security breaches can lead to significant operational challenges, including downtime and financial losses.

Establishing a Strong API Security Framework

To mitigate these risks and protect digital assets, organizations must prioritize API security. Key components of a robust API security framework include:

• API Discovery and Inventory: Identifying and documenting all types of APIs, including shadow APIs, third-party APIs, and legacy systems. This process involves uncovering sensitive data types in API traffic and identifying changes or drift to existing APIs. Continuous discovery is essential not just for inventory, but for maintaining an accurate, real-time understanding of your actual attack surface and potential data exposure as the API landscape evolves.
• API Posture Governance: Regularly assessing and monitoring API security posture to identify and mitigate risks (like misconfigurations, excessive permissions, or deviations from security standards) that directly impact security effectiveness and the ability to meet compliance mandates. Automating posture governance is crucial for continuously validating security controls against internal policies and external regulations (e.g., GDPR, PCI-DSS data protection rules) and scaling security in today’s fast-paced API development environment. Continuous security assessments and audits are vital for maintaining a strong, demonstrably compliant security posture and providing developers with ongoing, actionable feedback to remediate risks efficiently.
• API Threat Protection: Detecting and mitigating API attacks in real-time, including those listed in the OWASP Top-10 and elusive complex business logic threats. Business logic attacks exploit the unique functionalities of each API, making them difficult to detect with standard signature-based security solutions. Context-aware behavioral analysis provided by advanced API security platforms is essential for identifying subtle anomalies indicative of these advanced threats and mitigating them before significant damage occurs.
• API Vulnerability Management: Identifying and addressing API vulnerabilities throughout the lifecycle, from development to production. While regular vulnerability assessments and patch management (“shift-left”) are crucial for keeping APIs secure pre-deployment, effective runtime threat detection is also vital for identifying attacks attempting to exploit vulnerabilities missed during testing or newly discovered zero-days.
• API Compliance: Ensuring adherence to regulatory frameworks and standards (like GDPR, HIPAA, CCPA, and PCI-DSS), and validating compliance with security best practices. Demonstrating compliance is essential for protecting sensitive data and avoiding legal penalties. Incorporating “shift left” security practices is vital to prevent vulnerabilities from entering production, but demonstrating continuous compliance often requires runtime evidence of effective data protection controls within APIs.

Embracing API Security: A Strategic Imperative

The FTC’s settlement with GoDaddy serves as a wake-up call for businesses operating in the digital realm. Robust API security is not just about protecting data; it’s about safeguarding the trust and integrity of your brand. By implementing comprehensive security measures, including continuous discovery, runtime protection, and deep behavioral analysis, organizations can shield sensitive information, foster customer confidence, and steer clear of regulatory pitfalls. As the digital landscape continues to evolve, prioritizing proactive and adaptive API security will be crucial for ensuring resilient and successful business operations in the long term.

API security is an ongoing effort, requiring continuous monitoring, automated posture governance, and advanced threat detection capable of identifying and stopping sophisticated attacks, including those targeting unique business logic, to maintain effective protection. It must be viewed as a company-wide priority, fostering collaboration and awareness across all departments – from the developers building the APIs and the platform teams managing them, to the business units defining their function – not just the security team.

ABOUT THE AUTHOR

Eric Schwake

Eric Schwake, CISSP, is the director of cybersecurity strategy at Salt Security. He is a highly experienced cybersecurity expert with almost two decades of experience. Schwake has worked with various customers, helping to solve complex security challenges. He has gained a deep understanding of diverse security technologies through his time at industry leaders such as Symantec, Cisco, Proofpoint, Menlo Security, and Fortinet. Schwake is currently dedicated to helping organizations mitigate API risks in his role at Salt Security.