Modern attack vectors exploit the excessive openness of the digital infrastructure.
In a recent report titled "API Security Status in 2024" from Imperva, it was revealed that the majority of Internet traffic (about 70%) is accounted for by API calls. So, in 2023, the average corporate website processed about 1.5 billion API calls per year, which emphasizes the role of technology as the "connective tissue" of digital modernization.
The huge volume of Internet traffic passing through the API should be a concern for every security professional. Despite all efforts to implement shift-left frameworks and SDLC processes, APIs are often still put into production before they are cataloged, authenticated, and validated.
On average, organizations have 613 API endpoints in production, but this number is growing rapidly as the need for faster and more efficient delivery of digital services to customers grows. Over time, these APIs can become dangerous and vulnerable endpoints.
In its report, Imperva concludes that APIs are now a fairly common attack vector for cybercriminals, as they represent a direct way to access sensitive data. For example, a recent study conducted by the Marsh MacLennan Center for Cyber Risk Analysis in collaboration with Imperva shows that API-related security incidents cost global businesses $ 75 billion annually.
In 2023, the largest number of API calls were registered in banking and online retail, making financial services the main target of API-related attacks. Cybercriminals use various methods to attack API access points, including through account hijacking, in which they exploit vulnerabilities in API authentication processes to gain unauthorized access to accounts.
Mismanagement of the API creates unique challenges for security teams, in part due to the rapid pace of software development and the lack of mature tools and processes for collaboration between developers and security teams. As a result, almost every tenth API is vulnerable to attacks due to improper management, lack of monitoring, or insufficient authentication control.
To reduce the security risks associated with improper API management, we recommend conducting regular audits to identify uncontrolled or unauthenticated API access points. Continuous monitoring can help detect attempts to exploit vulnerabilities associated with these access points in a timely manner. In addition, developers should regularly update and upgrade the API to ensure that legacy endpoints are replaced with safer alternatives in a timely manner.
Imperva offers several recommendations for improving the security of organizations ' APIs. Among them, for example:
All these measures can help organizations ensure a higher level of security for their digital infrastructure and protect themselves from potential attacks by cybercriminals who purposefully exploit API vulnerabilities.
As the volume of API usage continues to grow, the importance of strong security and active API management becomes even more obvious to prevent data leaks, unexpected financial losses, and reputation damage.
In a recent report titled "API Security Status in 2024" from Imperva, it was revealed that the majority of Internet traffic (about 70%) is accounted for by API calls. So, in 2023, the average corporate website processed about 1.5 billion API calls per year, which emphasizes the role of technology as the "connective tissue" of digital modernization.
The huge volume of Internet traffic passing through the API should be a concern for every security professional. Despite all efforts to implement shift-left frameworks and SDLC processes, APIs are often still put into production before they are cataloged, authenticated, and validated.
On average, organizations have 613 API endpoints in production, but this number is growing rapidly as the need for faster and more efficient delivery of digital services to customers grows. Over time, these APIs can become dangerous and vulnerable endpoints.
In its report, Imperva concludes that APIs are now a fairly common attack vector for cybercriminals, as they represent a direct way to access sensitive data. For example, a recent study conducted by the Marsh MacLennan Center for Cyber Risk Analysis in collaboration with Imperva shows that API-related security incidents cost global businesses $ 75 billion annually.
In 2023, the largest number of API calls were registered in banking and online retail, making financial services the main target of API-related attacks. Cybercriminals use various methods to attack API access points, including through account hijacking, in which they exploit vulnerabilities in API authentication processes to gain unauthorized access to accounts.
Mismanagement of the API creates unique challenges for security teams, in part due to the rapid pace of software development and the lack of mature tools and processes for collaboration between developers and security teams. As a result, almost every tenth API is vulnerable to attacks due to improper management, lack of monitoring, or insufficient authentication control.
To reduce the security risks associated with improper API management, we recommend conducting regular audits to identify uncontrolled or unauthenticated API access points. Continuous monitoring can help detect attempts to exploit vulnerabilities associated with these access points in a timely manner. In addition, developers should regularly update and upgrade the API to ensure that legacy endpoints are replaced with safer alternatives in a timely manner.
Imperva offers several recommendations for improving the security of organizations ' APIs. Among them, for example:
- Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous detection to maintain a constantly updated API inventory and detect sensitive data leaks.
- Identify and protect sensitive and high-risk APIs. Conduct risk assessments that specifically target vulnerable API endpoints, especially those that are susceptible to authorization and authentication violations, as well as excessive data disclosure.
- Install a robust monitoring system for API endpoints to proactively detect and analyze suspicious behaviors and access patterns.
- Implement an API security approach that combines Web Application Firewall (WAF), API protection, DDoS attack prevention, and anti-bot protection. A comprehensive set of mitigation options offers flexibility and advanced protection against increasingly complex API threats, such as attacks on business logic, which are particularly difficult to defend against because they are unique to each API.
All these measures can help organizations ensure a higher level of security for their digital infrastructure and protect themselves from potential attacks by cybercriminals who purposefully exploit API vulnerabilities.
As the volume of API usage continues to grow, the importance of strong security and active API management becomes even more obvious to prevent data leaks, unexpected financial losses, and reputation damage.
