API Attack Traffic Grew 300+% In the Last Six Months
A report issued by Salt Labs reveals an unprecedented surge in application programming interface (API) attacks over the past six months. Monthly API call rates increased by 141%, while malicious traffic grew by a whopping 348%. Though the findings are based exclusively on Salt Security customer data, they underscore the broader prevalence of cloud-native vulnerabilities and the need for a more robust cybersecurity response across the IT industry.
The use of APIs continues to proliferate throughout digital transformation initiatives. Following this rise is an increasing number of attacks. When it comes to APIs, nearly half of developers cite security concerns as a top worry. API security threats can delay application rollouts, cause unstable apps and diminish brand reputation—all of which could be costly to the business.
The Q3 2021 State of API Security, the most recent report by Salt Labs, analyzed anonymous data from API providers and surveyed over 200 IT professionals on their API security posture. Below, we’ll review the information to discover factors driving this latest escalation in attacks and briefly suggest how to respond.
The State of API Security
The sheer number of APIs per organization is accelerating dramatically, increasing the number of potential vulnerabilities. The average number of API endpoints within an organization grew from 28 in June 2020 to 89 in 2021. Logically, API call volume has escalated, growing 141% in the last six months. This higher surface area is producing a rise in threats.
It appears that recent digital innovation projects are leading much of this new revolution. The report revealed 61% of businesses now rely on APIs for enabling platform or system integrations. Digital transformation initiatives and improving development efficiency are also common drivers of API usage, at 52% and 47%, respectively. APIs underpin the microservices design trend and are a standard method for machine-to-machine partner integration.
If we look at per-month frequency, we see that more than one in 10 providers have their APIs attacked more than 500 times every month. In fact, 94% of respondents experienced an API security indecent in the past 12 months, and malicious traffic now makes up 2.6% of all API traffic. Hackers often leverage API gaps for privilege escalation—with the right access, they can misuse accounts, exfiltrate data or produce denial-of-service attacks. OWASP ranks broken object level authorization as the top issue for API security. Production evidence substantiates this claim, as 39% of respondents said they experienced an issue involving an authentication problem within the past 12 months.
Reasons Behind the Rise in Attacks
There are numerous reasons for the rise in API attacks. Many companies jumped on the API bandwagon quickly without the proper forethought into ongoing maintenance and security. As a result, broken authorization issues are ever-present, making APIs low-hanging fruit for hackers. Private endpoints or undocumented services that traverse the public web aren’t really private at all and will be exploited eventually.
In addition to the lack of DevSecOps preparation, the sheer number of APIs hitting the market is assuredly propelling malicious traffic forward. APIs now account for 80% of total Internet traffic. And Gartner has even gone so far as to say that by 2022, API attacks will become the most frequent attack vector for enterprise web applications.
Internal disagreement around who owns API security could be exacerbating the issue. When asked who is responsible for securing APIs, 21% of respondents said it was developers, while 20% say it’s the API team’s responsibility. And 16% say the onus lies on AppSec, 11% say DevOps, and so on for other granular IT divisions. This indicates rampant confusion around API security ownership within organizations.
Web APIs are a new technical phenomenon within many companies, and API security strategies are still catching up. The report found that 26% have no strategy in place at all for API security. A lack of resources and budgetary constraints could be holding back such initiatives. Furthermore, a lack of observability into the entire API catalog could result in exposed, forgotten endpoints.
Mitigations
Constant security concerns could hinder business innovation. In fact, 64% of organizations report slowing the rollout of a new application due to an API security concern. So, how can API providers mitigate these pressing API threats? Some simple to-dos include adding up your company’s total API inventory, addressing the OWASP API Security Top 10 Vulnerabilities and introducing more advanced tooling.
Many providers have a hazy perception of their API catalog. The majority of respondents, 85%, say they lack confidence that their API inventory is complete. What’s worse, 85% of respondents lack confidence that they know which APIs expose sensitive data. Legacy “zombie APIs” that were never fully sunsetted could be leaking sensitive data unknowingly, resulting in data overexposure. To address these concerns, organizations should strive to obtain a better picture of the entire API catalog.
Also, since there appears to be confusion around who owns API security, organizations will have to come together to delegate clearer responsibilities. Thankfully, this is already occurring within most organizations, as two-thirds of respondents say security and DevOps teams are collaborating or combining their efforts to address security.
In terms of tools, legacy firewalls—and even more modern API gateways—are ineffective in preventing every attack type. Only 16% of respondents find existing tooling very effective in identifying API attacks. The report suggests that a shift-left mindset is insufficient for discovering daily threats, and companies should be augmenting web application firewalls (WAFs) and API gateways with runtime protection for production settings. To enable this, artificial intelligence (AI) and machine learning (ML) will likely contribute to detecting suspicious behavior and preventing API attacks before they occur.
API Security Implications
Digital transformation truly spiked throughout the pandemic as businesses turned toward remote work alternatives. This is evidenced by the extreme rise in API exploits in recent months. Especially as high-value institutions like financial services turn digital, such doorways become an alluring point of attack, beckoning organizations to prepare with the proper locks.
