1. SAST Online
  2. Application Security News and Articles
  3. The FTC Is Watching: GoDaddy’s Settlement Sends a Clear Message on API Security
Authenticate your profile to see activity

The FTC Is Watching: GoDaddy’s Settlement Sends a Clear Message on API Security

In today’s rapidly changing digital environment, APIs play a crucial role in modern business, facilitating smooth connectivity and data sharing. Yet, this interconnected nature brings significant security and privacy risks, as evidenced by the Federal Trade Commission's (FTC) recent settlement with GoDaddy. This settlement serves as a stark reminder that strong API security is no longer just a good security practice but is now a legal obligation.

GoDaddy’s API Security Breaches

The FTC's actions against GoDaddy arose from the company’s failure to implement suitable security measures, which resulted in repeated data breaches between 2019 and 2022. These incidents exposed sensitive customer information, including usernames, passwords, and employee credentials. The FTC’s investigation highlighted several critical API security shortcomings:

  • Inadequate API Authentication: One API from GoDaddy compromised sensitive customer data by lacking multi-factor authentication (MFA) and encryption.
  • Insufficient API Monitoring: GoDaddy did not implement vital security features such as rate-limiting, logging, and anomaly detection, which allowed unauthorized access to 1.2 million customer records.
  • Weak Access Controls: The company's APIs disclosed admin credentials and encryption keys, enabling attackers to compromise websites.

FTC-Required API Security Measures

As part of this settlement, the FTC imposed a comprehensive security regimen on GoDaddy, introducing, among other things, various API security requirements. These requirements reflect the FTC’s increased scrutiny of API security and offer a clear structure for businesses to adopt:

  • Encrypted API Communications: APIs used for delivering services or involving personally identifiable information (PII) must utilize HTTPS for all requests, with TLS encryption for data in transit.
  • Access Control: API requests should be authenticated using a method that safeguards authenticity at the session level and includes adequate protections against session hijacking and information tampering.
  • Rate Limiting: API connections must implement suitable rate limiting to guard against abuse and distributed denial-of-service attacks.
  • Monitoring & Anomaly Detection: Both inbound and outbound API traffic should be diligently monitored for suspicious activities and attacks.
  • Audit Logs & Incident Response: API security logs must be maintained and analyzed to detect and respond to breaches.

Implications for Law and Business

The GoDaddy settlement highlights the significant legal and business ramifications that arise from inadequate API security. Companies that neglect API security may face several consequences, including:

  • Regulatory Risks: The FTC has shown a readiness to take action against companies with insufficient API security measures. Noncompliance can lead to scrutiny from the FTC, financial penalties, and government oversight.
  • Reputation Damage: API security breaches can intrinsically harm a company’s reputation, reducing customer trust and inflicting long-term damage to the brand.
  • Operational disruptions: A compromised API can result in data theft, fraud, and service disruptions that affect business continuity and revenue

How Salt Security Can Assist

Salt Security is the foremost API security platform that aids organizations in discovering, protecting, and managing their APIs at scale. The Salt platform offers a full range of capabilities to meet the FTC’s API security requirements, helping organizations develop and maintain a robust API security framework, including:

  • API Discovery and Inventory: Automatically identify and catalog all APIs, including shadow APIs, third-party APIs, and legacy systems.
  • API Posture Governance: Continuously assess and monitor your APIs’ security posture, delivering insights into potential risks and improvement areas. This includes identifying and mitigating vulnerabilities, enforcing security protocols, and tracking compliance with regulations.
  • API Threat Protection: Immediately detect and prevent API attacks, including those from the OWASP Top 10 and complex business logic threats.
  • API Vulnerability Management: Spot and address API vulnerabilities before exploitation, including issues linked to authentication, authorization, and data exposure.
  • API Compliance: Ensure adherence to regulatory frameworks and standards, such as the API security requirements espoused by the FTC, offering tools and reporting features to validate compliance with security best practices.

By adopting the Salt Security platform, organizations can methodically tackle API security threats, reduce potential legal and business fallout, and protect their digital assets. Schedule a demo to see Salt Security in action.

The post The FTC Is Watching: GoDaddy’s Settlement Sends a Clear Message on API Security appeared first on Security Boulevard.

17 April 2025


>>More