API Attacks Rise 400% in Last Six Months

Attacks on APIs continue to rise sharply. New findings from Salt Labs found a shocking 400% increase in unique API attackers in the last six months. Interestingly, the report also discovered that nearly 80% of attacks occur over authenticated endpoints. Gartner previously predicted that APIs would soon become the most frequent attack vector, and new data seems to be proving these claims.

Overall, API traffic is growing exponentially, mainly due to the proliferation of new web APIs. These endpoints may be built to expose public platforms or to open internal datasets, connect microservices or power digital partner ecosystems. Yet, not all these integration points are secure by design—many suffer from vulnerabilities like broken object-level authorization. Furthermore, API sprawl could produce zombie or shadow APIs left ungoverned. For these reasons, many hackers view APIs as low-hanging fruit.

Below, I’ll share some takeaways from Salt Lab’s State of API Security Q1 2023 report. I also sat down with Stephanie Best, director at Salt Security, to discover why API attacks are accelerating and to consider what best practices organizations can adopt to stem the rising tide of API-related threats.

API Attacks Continue To Rise

The empirical data, compiled by monitoring traffic against the Salt Security customer base, found a significant volume of unique attackers hitting production APIs. “We weren’t expecting to see that volume explode,” said Best. The growth of APIs is accelerating, she explained, and as such, it can be hard to secure this growth, let alone keep up with a constantly evolving catalog.

As organizations produce hundreds if not thousands of APIs, managing the security repercussions is becoming a burden. As a result, 94% experienced security problems in production APIs in the past year, with 17% stating their organizations suffered a data breach due to security gaps in APIs. Security professionals and API developers tend to fear the prospects of outdated zombie endpoints, account takeover and denial-of-service attacks the most.

Common API security problems include vulnerabilities, authentication issues, sensitive data exposure, brute force attacks and other issues. And if we map the most common attack types to the OWASP API Security Top 10, the top risks include API8:2019 Injection (29%), API7:2019 Security Misconfiguration (23%), API4:2019 Lack of Resources & Rate Limiting (20%) and API2:2019 Broken User Authentication (9%).

According to Best, the key reason behind the increase in attack traffic comes down to volume. API usage has exploded and has become ingrained into many aspects of a business. Even non-technical businesses are transforming into software companies and, as they do so, they become reliant upon internal and third-party cloud APIs as they modernize their software architecture. Yet, traditional security tools just aren’t well-equipped to spot business logic gaps, said Best.

New Results: Authenticated API Attacks, Development Slows

Interestingly, 78% of attacks come from authenticated users, indicating that attackers commonly attempt to achieve authentication and pose as legitimate users. Attackers have become smarter and have learned how to manipulate APIs to escalate their privileges and acquire information they shouldn’t have access to, explained Best. This could be as simple as switching out a unique identifier in the HTTP call to request information from another account. Gaps within the business logic like this might emerge due to continual development and a lack of security oversight.

API attacks could lead to stolen data or account escalation, resulting in penalty fees and a loss of reputation. But API security problems can affect a business in different ways. Namely, it can slow down development—59% reported they have had to slow the rollout of new applications because of API security concerns.

Mitigations

Clearly, APIs are a top cybersecurity concern in 2023. So what are some best practices organizations can apply to protect their API catalog?

Level up the API protection layer. One method is to evolve the existing API protection tools in place. Most organizations rely on traditional methods like web application firewalls (WAFs), API gateways and analyzing log files. Yet only 23% of respondents believed their existing security approaches are very effective at preventing API attacks, found the report.

Map your surface area and reduce shadow APIs. Another reason why API attacks are prevalent is due to the fundamental lack of knowledge of their existence. The Salt team shared that, when exploring a new customer environment, they typically find between 40% to 80% previously unknown, undocumented APIs. In other words, there could be upwards of 8X more unknown, undocumented APIs than known APIs within a given environment. Therefore, it’s important to first discover your internal APIs to map your surface area.

Don’t let API security depend on testing definitions. We like to think that most API developers work specification-first and document every new API. But, in reality, things are usually far from this ideal. “Schema testing is a great intro step, but it only scratches the surface of what that API is going to become and how people are going to manipulate it,” said Best. Areas like runtime testing and contract testing have risen as strategies to validate real-world behaviors, perhaps due to the inconsistencies between documentation and production behavior.

Final Thoughts

The number of APIs within an average organization continues to grow. A full 59% of respondents now manage more than 100 APIs. Yet, their security posture is still maturing. Security professionals need to come to terms with how to prevent future attacks, as well as how to efficiently discover unknown endpoints—especially those that handle sensitive data. Thankfully, more teams might soon have the resources they need to execute API security. Because of the seriousness API security threats pose, nearly half (48%) of respondents said that API security has become a C-level discussion within their organization.

Salt Lab’s State of API Security Q1 2023 report gathered real-world data from its customer base and surveyed 400 security professionals and API developers. You can pick up a copy behind an email gate here for the complete insights.

Avatar photo

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst based in Seattle. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high impact blog on API strategy for providers. He loves discovering new trends, researching new technology, and writing on topics like DevOps, REST design, GraphQL, SaaS marketing, IoT, AI, and more. He also gets out into the world to speak occasionally.

bill-doerrfeld has 22 posts and counting.See all posts by bill-doerrfeld