Application Programming Interfaces (APIs) serve a crucial role in digital transformation by facilitating data exchange between applications and databases. According to the recent State of API Security in 2024 Report published by Imperva, a Thales company, API calls accounted for a staggering 71% of internet traffic in 2023. Enterprises witnessed an average of 1.5 billion API calls, underscoring the growing reliance on these interfaces.
The immense traffic flowing through APIs raises significant security concerns. Even with the adoption of advanced development frameworks and Software Development Lifecycle (SDLC) processes, many APIs are deployed prematurely, bypassing essential steps like cataloging, authentication, and auditing. Presently, organizations manage an average of 613 API endpoints, a number that is expected to grow as the demand for swift digital services escalates. However, the proliferation of these endpoints increases the potential for exposing vulnerable access points.
Imperva’s report highlights that APIs have emerged as prime targets for cybercriminals, providing direct access to sensitive information. A related study from Marsh McLennan Cyber Risk Analytics Center quantifies the financial impact of API-related security breaches, estimating annual costs to global businesses to be as high as $75 billion.
API Vulnerabilities: A Growing Concern
Financial institutions and online retail sectors reported the highest volumes of API calls in 2023, owing to their reliance on expansive API infrastructures for digital service delivery. Consequently, these sectors, particularly banking, have become the primary targets of API-related cyber threats.
One prevalent tactic employed by cybercriminals is Account Takeover (ATO), exploiting weaknesses in API authentication mechanisms to gain unauthorized access. Notably, in 2023, nearly 46% of ATO incidents targeted API endpoints. These attacks often utilize automated bots, programmed for malicious tasks, leading to consequences that include customer account lockouts, data breaches, and revenue losses. The inherent value of customer data in financial services exacerbates the risk associated with ATO attacks.
The Risks of Neglected APIs
Addressing API security vulnerabilities poses unique challenges for even the most advanced security teams. The rapid pace of software development, coupled with a lack of robust tools and processes for collaborative efforts between developers and security teams, creates a breeding ground for API mismanagement. An estimated 10% of APIs face potential vulnerabilities due to improper deprecation, insufficient monitoring, or lax authentication controls.
Imperva’s report identifies three primary categories of mismanaged API endpoints that contribute to security threats: shadow, deprecated, and unauthenticated APIs. Shadow APIs, often forgotten and undocumented, represent about 4.7% of active APIs and can expose sensitive data if not managed appropriately. Deprecated APIs, constituting around 2.6% of active APIs, pose risks when not promptly removed or updated, leading to vulnerabilities from outdated software. Additionally, unauthenticated APIs, averaging 3.4% of an organization’s APIs, may result from misconfiguration or rushed releases, creating pathways for unauthorized access and data breaches.
To mitigate these risks, organizations are urged to conduct regular audits to pinpoint unmonitored or unauthenticated APIs. Continuous monitoring can assist in identifying attempts to exploit vulnerabilities, while proactive updates and upgrades can help replace deprecated APIs with secure alternatives.
Strengthening API Security
Imperva offers a set of recommendations aimed at bolstering API security posture across organizations. Initiatives include comprehensive discovery and classification of APIs to maintain an updated inventory, identification of high-risk APIs for targeted risk assessments, and the establishment of robust monitoring systems to detect suspicious activities. A multifaceted security approach that integrates Web Application Firewalls (WAF), API protection, Distributed Denial of Service (DDoS) prevention, and bot protection will further enhance defenses against increasingly sophisticated API threats.
