As API Threats Multiply, Cybersecurity Lags

Things are heating up for APIs. API-based startups are catching the eye of investors. Forbes recently called the API economy the “next big thing.” But as they multiply, so do security threats — 91% of organizations experienced an API security incident last year, according to a recent Salt Security report.

APIs open up systems and enable convenient programmability between servers and clients. They’re also used by popular development styles, like microservices architectures, Docker containers and Kubernetes. With so many use cases, it’s clear the value of web APIs is increasing. Yet, tactics to secure them are still lagging, according to Salt Security’s recently published State of API Security – Q1 2021.

The report surveyed over 200 security, application and DevOps professionals across many industries on their API security posture, and revealed eye-opening data from the Salt Security platform. The findings provide a clear view through a previously opaque window into these ongoing security woes. Below, we discover how many API exploits, on average, enterprises are facing, and highlight practices to mitigate common vulnerabilities.

API Attacks Are On the Rise

APIs expose data centers, integrate cloud environments and are at the heart of many microservices architectures. They often touch sensitive data, making them prime targets for attack.

The report found that in 2020, a startling 91% of organizations experienced an API security incident. On a per-month basis, 84% of companies suffered at least 10 such attacks. Common API security problems include vulnerabilities, authentication issues, bots and web-scraping and denial of service (DoS) attacks.

The rate of attacks is increasing, as well. By overviewing their internal customer data, Salt Security found the number of API attacks per month increased by 60% from June to December of last year. Such vulnerabilities are compounded by the fact that many API owners lack visibility into their catalog. Out of the respondents, only 16% said they were confident their API inventory was complete. This could be a result of poor documentation practices and shadow IT.

Holes in API authentication and authorization could cause unauthorized privilege escalation. Or, too often, “private,” undocumented APIs serving data freely over the web suffer from data exposure when noticed and exploited by hackers. These exploits can easily result in data exfiltration, account misuse and platform downtime.

Security’s Status Quo Isn’t Sufficient

Unfortunately, the status quo for API security is still years behind within many enterprises. Just 54% only have basic security in place for production APIs. Furthermore, 82% of organizations say they are not confident in knowing how much personally identifiable information (PII) their endpoints expose. This could include customer proprietary network information (CPNI), cardholder data, social security numbers and other private data.

To plug these gaps, most API owners have turned to web application firewalls (WAFs) and API gateways. However, most attacks are getting through them — the report found “WAFs and API gateways miss 90% of OWASP API Security top 10 threats.”

This means that standard web security mechanisms (TLS, rate limiting, IP blocking) are insufficient. Owners must respond to a widening spectrum of threats. “As APIs have grown in volume and functionality, they’ve made ever more attractive targets for hackers, driving up the number and sophistication of API attacks,” said Roey Eliyahu, CEO and co-founder of Salt Security.

To get an idea of these attack vectors, we can turn to the OWASP API security top 10 list, an industry benchmark for API security analysis. These vulnerabilities include:

  1. Broken Object Level Authorization
  2. Broken Authentication
  3. Excessive Data Exposure
  4. Lack of Resources and Rate Limiting
  5. Broken Function Level Authorization
  6. Mass Assignment
  7. Security Misconfiguration
  8. Injection
  9. Improper Assets Management
  10. Insufficient Logging and Monitoring

Insecure APIs Hurt Business

APIs are now used frequently in partner integrations and monetized as standalone businesses. “In today’s digital economy, APIs are the direct gateway to organizations’ most critical data and assets,” said Eliyahu. Subsequently, if these perils increase, it puts the business in jeopardy.

According to the report, this has already had a measurable impact on business outcomes. For example, 66% of organizations admit to API security concerns slowing a product’s rollout or new feature release.

Ways to Mitigate API Threats

To prevent these attacks, here are some starting points:

  • Mature your API security strategy: As exploits become more advanced, so must the response. This could equate to a greater investment in identity-driven zero-trust systems.
  • Pre-meditation: Anticipate attacks and prepare. Adopt security analysis earlier on in a development phase to avoid production mistakes.
  • Full lifecycle threat protection: Even though 90% of breaches occur at runtime, only 46% of respondents apply runtime protection. Shift-left is popular, but let’s not forget runtime security! It seems we also need API security throughout every phase of the development lifecycle.
  • Track and monitor attacks: Create mechanisms to track and define attacks and respond quickly.
  • Take an API inventory: Also, consider taking better stock of your internal API library (as well as third-party dependencies). This will help find and shutter zombie, outdated APIs, which present the most significant risk. Swagger and Postman ranked high in this study as useful API documentation tools.
  • Use the OWASP top 10 as a benchmark: Review the threat vectors posed by the OWASP top 10 API vulnerability list, and respond. Thankfully, 66% of respondents already consider this a focus area.

Report: Unsettling Findings

“Many findings are quite unsettling,” the report gravely acknowledges. For example, while the monthly volume of API calls grew by 51% over the last year, the percentage of malicious traffic grew by 211%. Attacks are increasing quickly, and show no signs of stopping.

Gartner even went as far as to say that “ … by 2022, API abuses will move from an infrequent to the most-frequent attack vector” in a recent study. APIs are foundational for modern application development, as they are embedded into modern programming styles. For new startups, APIs may compose the core fabric of the overall business. Thus, armoring them against attack has become a top goal for CTOs.

When it comes to API security goals, 61% of respondents ranked “identifying which APIs expose PII or sensitive data” as the top priority. Thwarting attacks, and improving the overall API security posture, is essential to also meet compliance requirements.

We’ve only skimmed the surface of modern API threats and practices to improve your cybersecurity footing. For more findings, visit API Security Trends to view the entire Salt Stack report.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 105 posts and counting. See all posts by Bill Doerrfeld