Cyberattacks Increasingly Target APIs
A survey of 1,629 cybersecurity professionals found nearly three-quarters (74%) work for organizations that suffered three or more breaches involving application programming interfaces (APIs) in past two years.
Conducted by the Ponemon Institute on behalf of Traceable AI, a provider of a platform for securing APIs, the survey found 61% of respondents anticipated threats related to APIs will increase in the next two years. Well over half (58%) agreed that APIs substantially expand the attack surface that needs to be defended.
Organizations, on average, have 127 third-party API connections, but only a third (33%) are confident in their ability to manage external threats, the survey found. Nearly half of respondents (48%) are trying to come to terms with API sprawl. The survey found that over a third (39%) are challenged by keeping track of their organization’s inventory of APIs.
Richard Bird, chief security officer for Traceable AI, said despite an increasing number of API-related breaches, few organizations are taking the threat seriously enough. Only 52% of respondents felt the urgency to understand the most vulnerable APIs based on a security risk profile. A slightly higher percentage (54%) deemed the identification of sensitive data handling API endpoints as a high priority.
Too many organizations are under the impression that existing tools, such as web application firewalls (WAFs), would sufficiently protect their APIs, added Bird. In fact, 57% of survey respondents noted traditional security solutions such as WAFs couldn’t effectively distinguish genuine from fraudulent API activity. Only 38% could discern intricate context between API activity, user behaviors and data flows.
There’s a debate within the cybersecurity community over how well existing approaches to application security address API security or if a platform dedicated to that specific task is required. In many cases, APIs are now being created by teams of developers that have little to do with the development of the actual application. Traceable AI and other providers of API security platforms contend that API security has emerged as a separate discipline. They argue that organizations require tools that discover rogue and zombie APIs and anomalous behavior of business logic being manipulated by cybercriminals to exfiltrate data.
The survey found that, on average, only 40% of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 26% of attacks, and only 21% of API attacks are effectively detected and contained. Overall, the survey found the most common attack vector involved distributed denial of service (DDoS) attacks (38%).
Of course, if APIs are secured by developers as they are created there will be less stress on cybersecurity teams. The challenge is developers will always have varying levels of cybersecurity expertise, so there will always be APIs that are not sufficiently secure. As the number of applications that have externally facing APIs grows, so too does the probability there will be a breach that cybersecurity teams would have been expected to prevent.
Each organization will need to determine what level of API risk they are willing to assume as cybercriminals become more adept at exploiting their weaknesses.
