APIs become the leading attack vector, cybersecurity research shows
In recent research conducted by cybersecurity firm Imperva, it is revealed that APIs have emerged as a significant attack vector, with over 71% of web traffic last year accounted for by APIs. The risk is magnified by organisations' inadequate visibility, as on average, 11% of the APIs are unknown and remain vulnerable to attacks. As much as 46% of Account Takeover attacks were aimed at API endpoints.
The report's findings also indicate financial services being the most targeted industry, with 20% of all API attacks and 28% of DDoS attacks borne by them. The most common method for API attacks was business logic attacks, comprising 27% of the total. Furthermore, 19% of API attacks originated from bad bots.
Last year, the number of attacks targeting APIs saw a significant rise. Of the attacks in 2023, 27% were aimed at the business logic of APIs, a noticeable increase of 10% from the preceding year. ATO attacks targeting APIs also rose from 35% in 2022 to 46% in 2023.
APIs play a pivotal role in application modernisation and their traffic, outpacing normal web traffic, accounted for over 71% of web traffic last year. Despite their many advantages such as seamless connectivity, enhanced online experiences, and driving innovation, APIs' broad adoption is presenting organisations with new security challenges that they are frequently ill-equipped to counter.
The average number of API calls made to enterprise sites is 1.5 billion. This high volume of non-human, automated traffic is intrinsically linked to the rise in automated attacks on APIs. Effective security measures are needed to defend against attacks by bad bots and other automated attacks, such as DDoS attacks and Account Takeover (ATO). Nearly half (46%) of all ATO attacks targeted API endpoints, highlighting the urgency to fortify API security.
As reliance on APIs grows, understanding the risks APIs can introduce to application infrastructure becomes vital. Issues like shadow APIs, business logic abuse, data leakage, and an apparent API Security skills shortage are amongst the top challenges.
The report underscores the urgent need for organisations to have visibility into their API ecosystems for meticulous identification of each API. API Discovery is a crucial initial step in establishing a robust API security posture. The research uncovered an average of 613 APIs per organisation, revealing potential risks like deprecated endpoints and Broken Object Level Authorization (BOLA).
Automated attacks or 'bad bots' present a considerable threat to APIs since APIs are fundamentally designed towards automation. Attackers are increasingly using automated attacks to target API business logic, often undetected, allowing unimpeded malicious activities. As conventional, security tools struggle to detect this form of abuse, it becomes paramount to emphasise heightened visibility into API infrastructures for a comprehensive assessment and implementation of the required security measures.
The research accentuates the critical need for a comprehensive API Security strategy, combining several measures together - Web Application Firewall (WAF), API Discovery with Advanced Bot Protection, and advanced API Security measures such as risk assessment, anomaly detection, and mitigation. It advocates for a holistic and integrated approach to ensure the robust protection of APIs.