Application programming interfaces (APIs) are the connective tissue behind digital modernization and help applications and databases exchange data more effectively. The State of API Security 2024 report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 were API calls. Additionally, a typical business site saw an average of 1.5 billion API calls in 2023.
The sheer volume of Internet traffic passing through APIs should concern every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still put into production before being cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but this number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky and vulnerable endpoints.
In their report, Imperva concludes that APIs are now a common attack vector for cybercriminals because they represent a direct path to access sensitive data. As a matter of fact, a study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents cost global businesses up to $75 billion annually.
More API calls, more problems
In 2023, banking and online retail saw the highest volumes of API calls than any other industry. Both industries rely on large API ecosystems to provide digital services to their customers. Therefore, it is not surprising that financial services, including banking, were the main target of API-related attacks in 2023.
Cybercriminals use several methods to attack API endpoints, but a common attack vector is Account Takeover (ATO). This attack occurs when cybercriminals exploit vulnerabilities in an API’s authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of malicious bots, software agents that perform automated tasks with malicious intent. If successful, these attacks can block customers’ access to their accounts, provide criminals with sensitive data, contribute to lost revenue, and increase the risk of non-compliance. Considering the value of the data that banks and other financial institutions manage for their customers, ATO represents a worrying business risk.
Why poorly managed APIs pose a security threat
Mitigating API security risk is a unique challenge that frustrates even the most sophisticated security teams. The problem stems from the frenetic pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly one in 10 APIs are vulnerable to attacks because they are not properly deprecated, are not monitored, or do not have sufficient authentication controls.
In their report, Imperva identified three common types of poorly managed API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.
- Shadow API: Also known as undocumented or undiscovered APIs, these are APIs that are unsupervised, forgotten, and/or outside the visibility of the security team. Imperva estimates that shadow APIs make up 4.7% of each organization’s active API collection. These endpoints are introduced for several reasons: from the purpose of testing software to use as a connector for a third-party service. Problems arise when these API endpoints are not cataloged or managed properly. Companies should be concerned about shadow APIs because they typically have access to sensitive information, but no one knows where they exist or what they are connected to. A single shadow API can lead to a compliance violation and a regulatory fine, or worse, a motivated cybercriminal who will abuse it to access an organization’s sensitive data.
- Deprecated APIs: Deprecation of an API endpoint is a natural progression in the software lifecycle. As a result, the presence of outdated APIs is not uncommon, as software is updated at a rapid and continuous pace. In fact, Imperva estimates that deprecated APIs, on average, make up 2.6% of an organization’s active API collection. When the endpoint is deprecated, the services that support those endpoints are updated and a request to the deprecated endpoint should fail. However, if the services are not updated and the API is not removed, the endpoint becomes vulnerable because it does not have the necessary patches and software updates.
- Unauthenticated APIs: Often, unauthenticated APIs are introduced due to misconfiguration, oversight of a rushed release process, or the relaxation of a strict authentication process to accommodate older versions of the software. These APIs make up, on average, 3.4% of an organization’s active API collection. The existence of unauthenticated APIs poses a significant risk to organizations as it can expose sensitive data or functionality to unauthorized users and lead to data breaches or system manipulation.
To mitigate the various security risks introduced by poorly managed APIs, we recommend conducting regular audits to identify unmonitored or unauthenticated API endpoints. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. Additionally, developers should regularly update and update APIs to ensure that deprecated endpoints are replaced with more secure alternatives.
How to protect your API
Imperva offers several recommendations to help organizations improve their API security posture:
- Discover, classify and inventory all APIs, endpoints, parameters and payloads. Use continuous discovery to maintain an up-to-date API inventory and disclose sensitive data exposure.
- Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to broken authorization and authentication, as well as excessive data exposure.
- Establish a robust monitoring system for API endpoints to actively detect and analyze suspicious behavior and access patterns.
- Take an approach to API security that integrates Web Application Firewall (WAF), API protection, Distributed Denial of Service (DDoS) prevention, and bot protection. A full range of mitigation options offers flexibility and advanced protection against increasingly sophisticated API threats, such as business logic attacks, which are particularly difficult to defend against as they are specific to each API.