Lebin Cheng | VP, API Security
APIs (Application Programming Interfaces) are the backbone of modern digital innovation. They drive seamless connectivity, enable rapid development, and power countless business-critical applications. Yet, amidst this accelerated adoption of APIs comes a significant change in the threat landscape. The recent report, The State of API Security in 2024, uncovers a stark reality: API-targeted attacks have surged in the past year, jeopardizing business digital assets and operations across industries.
The report, compiled by Imperva, a Thales company, highlights the expanding attack surface created by the proliferation of APIs. Attackers increasingly exploit vulnerabilities, frequently targeting API business logic to bypass traditional security measures. This report serves as a critical wake-up call for company executives and security professionals, emphasizing the urgent need to prioritize API security as a core component of their overall cybersecurity strategy.
Key Findings: Why APIs Become Prime Targets
The report offers valuable insights explaining why APIs must be on every company’s cybersecurity radar.
Rapid Growth of API Traffic
According to the report, API traffic constituted over 71% of web traffic last year. The sheer volume of API traffic gives attackers a larger and more attractive target. The report shows that almost half (46%) of all Account Takeover (ATO) attacks are aimed at API endpoints. Nearly one-third (28%) of all DDoS attacks on APIs focus on financial services organizations, the most targeted industry for this type of attack.
Automated Attacks and Business Logic Abuse
The average number of API calls to an enterprise site has risen to an astronomical 1.5 billion, which is linked to the increasing volume of automated attacks on APIs. Automated attacks, in the form of bad bots, constitute a significant threat to APIs. By mimicking regular API traffic, attacks go undetected, enabling bad actors to carry out malicious activities against business logic. In 2023, the leading actor vector was business logic at a staggering 27% of all API attacks.
Abuse of an API’s business logic occurs when bad actors use automated attack agents to exploit the intended functionality of an API for malicious purposes, such as the exfiltration of sensitive data or disrupting a mission-critical application.
Shadow APIs Fuel Data Leakage
Undiscovered or poorly documented APIs increase the attack surface. With an average of 613 APIs per organization, deprecated endpoints or Broken Object Level Authorization (BOLA) heighten the potential risks facing business. Shadow APIs can result in sensitive data exposure, which can have disastrous consequences for organizations.
The Need for Comprehensive API Security
Besides the findings, Imperva offers comprehensive best practices to mitigate the risk of API vulnerabilities and strengthen business security.
API Discovery as the Foundation
You cannot protect what you can't see. Implement continuous API discovery solutions to maintain a complete and up-to-date inventory of all APIs within your organization. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous discovery to maintain a constantly up-to-date API inventory and disclose exposure of sensitive data. Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to Broken Authorization and Authentication as well as Excessive Data Exposure.
Beyond Traditional WAFs
While Web Application Firewalls (WAFs) play a role, they often lack the context and visibility to defend against API-specific attacks effectively. To combat the unique nature of API threats, businesses must invest in:
- Advanced bot protection to distinguish between legitimate and malicious automated traffic, blocking bad bots that often target APIs.
- Conduct regular assessments to uncover API vulnerabilities that traditional WAFs may miss, such as inadequate validation or misconfigured authentication.
- Look for solutions that leverage behavioral analysis and machine learning to pinpoint anomalous API activity that signals an attack.
Remember that API security is not a one-and-done solution. It's a continuous process that requires regular reassessment, adaptation, and proactive monitoring to stay ahead of evolving threats.
Spread the Word!
Understanding the API security challenges and how they impact businesses is the first step toward a more secure API landscape. Download the report and share it with peers and partners to help forward the knowledge of the threats we face. Cybersecurity has always been a team game.
Remember to mark your calendars for a webinar on March 20, 2024 where Luke Babarinde and Grainne McKeever will discuss the key findings from the report and how to build an API Security strategy.