FireTail Report Finds API Security Breaches are few but Lethal
An analysis of cybersecurity breaches in 2022 conducted by FireTail, a provider of a platform for securing application programming interfaces (APIs), found only 12 publicly recorded breaches involving APIs, with six more being disclosed thus far in 2023.
However, the average mean size of API data breach exposure is over 10 million records per incident. With the total cost of a single breached record being $180, the total cost of API security breaches easily can be as high as $85 billion, the report found.
The top two categories of data breaches involving API security are authorization at 135 million records, or 28% of all records breached, and authentication, at 105 million records, or 22% of all records breached.
FireTail CEO Jeremy Snyder said that with more than 85% of internet traffic moving across APIs, it’s now only a matter of time before the number of API security breaches and the total cost increases. Unfortunately, the level of focus on API security is not commensurate with the potential risk to the business, he added.
In addition, the level of available API security expertise remains limited. For example, one often overlooked consideration in the authentication process is the need to validate authentication credentials repeatedly and binding credentials to an active session. Long-lived credentials, like static API keys, are subject to secrets sprawl. Some common authentication mechanisms may even introduce vulnerabilities into APIs.
As such, it’s important that APIs are designed to force authentication on a regular basis rather than only checking whether a token conforms to the expected format.
It’s not always clear who is responsible for API security. But as cybercriminals appreciate how much data can be extracted via an API, there is clearly a need for more collaboration between cybersecurity teams tasked with protecting those APIs and the developers that create them.
More challenging still, the number of APIs being deployed in production environments has expanded greatly, thanks mainly to the rise of microservices-based applications that make extensive use of them. It’s also not uncommon for developers to have deployed a so-called zombie API that is no longer supported but can still be accessed and manipulated by external threat actors. In addition, there are often rogue APIs that have been set up without anyone in IT knowing about them. The biggest issue cybersecurity teams will encounter with APIs is that it’s not possible to protect what they don’t know about, noted Snyder.
In theory, at least, application development teams that embrace DevSecOps practices for building and deploying applications will assume more responsibility for securing APIs, but it’s always going to be the cybersecurity team that will be held accountable for any breach. However, historically, cybersecurity teams have focused more on securing perimeters and endpoints, so most of the budget dollars allocated for cybersecurity are not being applied to APIs.
That may change in the months ahead as API breaches become more commonplace. In the meantime, cybersecurity teams should—at the very least—create an inventory of the APIs they know about and are charged with protecting, regardless of who created them.