Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more efficiently. The 2024 State of API Security Report from Imperva, a Thales company, found that the majority of network traffic (71%) in 2023 was API calls. What’s more, by 2023, the typical enterprise website will make an average of 1.5 billion API calls.
The high volume of network traffic passing through APIs should be on the radar of every security professional. Despite the best efforts to adopt shift-left frameworks and SDLC processes, APIs often go into production before being cataloged, verified, or reviewed. On average, organizations have 613 API endpoints in production, but this number is growing rapidly as pressure increases to deliver digital services to customers faster and more efficiently. Over time, these APIs can become risky, vulnerable endpoints.
In its report, Imperva concluded that APIs are now a common attack vector for cybercriminals because they provide a direct path to access sensitive data. In fact, a study by the Marsh McLennan Cyber Risk Analysis Center found that API-related security incidents cost global enterprises up to $75 billion annually.
More API calls, more questions
Banking and online retail will have the highest API call volumes in 2023 compared to other industries. Both industries rely on large API ecosystems to provide digital services to customers. Therefore, it is not surprising that financial services, including banks, are the main targets of API-related attacks in 2023.
Cybercriminals use a variety of methods to attack API endpoints, but a common attack vector is account takeover (ATO). This attack occurs when cybercriminals exploit a vulnerability in the API authentication process to gain unauthorized access to an account. By 2023, nearly half (45.8%) of all ATO attacks will target API endpoints. These attempts are often carried out through automation in the form of malicious bots, software agents that maliciously run automated tasks. If successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, cause lost revenue, and increase the risk of breaches. The ATO is a worrying business risk given the value of the data that banks and other financial institutions manage for their customers.
Why poorly managed APIs are a security threat
Mitigating API security risks is a unique challenge that can frustrate even the most advanced security teams. This problem stems from the fast pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly 1 in 10 APIs are vulnerable because it is not properly deprecated, is not monitored, or lacks adequate authentication controls.
In its report, Imperva identifies three common types of poorly managed API endpoints that pose security risks to organizations: shadow APIs, deprecated APIs, and unauthenticated APIs.
- Shadow API: Also known as undocumented or undiscovered APIs, these APIs are unsupervised, forgotten, and/or outside the visibility of the security team. Imperva estimates that shadow APIs account for 4.7% of each organization’s active API collection. These endpoints are introduced for many reasons – from software testing purposes to use as connectors to third-party services. Problems arise when these API endpoints are not cataloged or managed correctly. Enterprises should be concerned about shadow APIs because they can often access sensitive information, but no one knows where they exist or what they are connected to. A single shadow API can lead to compliance violations and regulatory fines, or worse, it can be abused by motivated cybercriminals to access an organization’s sensitive data.
- Deprecated APIs: Deprecating API endpoints is a natural part of the software life cycle. Therefore, as software is updated at a rapid and continuous rate, it is not uncommon for deprecated APIs to exist. In fact, Imperva estimates that deprecated APIs account for an average of 2.6% of an organization’s active API collection. When an endpoint is deprecated, services that support such endpoint will be updated and requests to the deprecated endpoint should fail. However, if the service is not updated and the API is not removed, the endpoint becomes vulnerable because it lacks necessary patches and software updates.
- Unauthenticated API: Often, the introduction of unauthenticated APIs is the result of misconfiguration, oversight of a rushed release process, or relaxation of strict authentication processes to accommodate older versions of software. These APIs account for an average of 3.4% of an organization’s active API collection. The existence of unauthenticated APIs poses significant risks to organizations, as it may expose sensitive data or functionality to unauthorized users and lead to data exfiltration or system manipulation.
To mitigate various security risks caused by poor API management, it is recommended to conduct regular audits to identify unmonitored or unauthenticated API endpoints. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. Additionally, developers should regularly update and upgrade the API to ensure that deprecated endpoints are replaced with more secure alternatives.
How to secure your API
Imperva provides several recommendations to help organizations improve their API security posture:
- Discover, classify and inventory all APIs, endpoints, parameters and payloads. Use continuous discovery to maintain an always-up-to-date API inventory and uncover exposure of sensitive data.
- Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically for API endpoints that are vulnerable to compromised authorization and authentication, as well as excessive data exposure.
- Build a powerful monitoring system for API endpoints to proactively detect and analyze suspicious behavior and access patterns.
- Adopt an API security approach that integrates Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) Protection, and Bot Protection. Comprehensive mitigation options provide flexibility and advanced protection against increasingly complex API threats, such as business logic attacks, that are unique to each API and therefore particularly challenging to defend against.
