Application programming interfaces (APIs) are the connective tissue behind digital modernization, allowing applications and databases to exchange data more effectively. His 2024 State of API Security report by Thales’ Imperva found that the majority of internet traffic in 2023 (71%) was API calls. Additionally, a typical enterprise site made an average of 1.5 billion API calls in 2023.
The sheer volume of internet traffic passing through APIs is a concern for all security professionals. Despite best efforts to implement shift-left frameworks and SDLC processes, APIs are often pushed into production before being cataloged, certified, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly growing as pressure increases to deliver digital services to customers faster and more efficiently. Over time, these APIs can become dangerous and vulnerable endpoints.
Imperva concludes in its report that APIs are now a common attack vector for cybercriminals, as they are a direct route to accessing sensitive data. In fact, a study by the Marsh McLennan Center for Cyber Risk Analysis found that API-related security incidents cost businesses around the world as much as $75 billion annually.
More API calls mean more problems
Banking and online retail reported the highest volume of API calls compared to other industries in 2023. Both industries rely on large API ecosystems to provide digital services to their customers. It’s no wonder, then, that financial services, including banking, became a prime target for API-related attacks in 2023.
Cybercriminals use a variety of methods to attack API endpoints, but one common attack vector is account takeover (ATO). This attack occurs when cybercriminals gain unauthorized access to your account by exploiting a vulnerability in the API’s authentication process. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of malicious bots, which are software agents that perform malicious automated tasks. Successful attacks can lock customers out of their accounts, provide criminals with sensitive data, lead to revenue loss, and increase the risk of non-compliance. ATO is a concerning business risk given the value of the data that banks and other financial institutions manage for their customers.
Why mismanaged APIs are a security threat
Mitigating API security risks is a unique challenge that frustrates even the most sophisticated security teams. This problem stems from the fast pace of software development and the lack of mature tools and processes that allow developers and security teams to work more collaboratively. As a result, nearly 1 in 10 APIs are vulnerable to attacks because they were not properly deprecated, not monitored, or lacked sufficient authentication controls.
In its report, Imperva identified three common types of mismanaged API endpoints that pose security risks to organizations: shadow APIs, deprecated APIs, and unauthenticated APIs.
- Shadow API: These are also known as undocumented or undiscovered APIs, which are APIs that are unmonitored, forgotten, and/or outside the visibility of security teams. Imperva estimates that shadow APIs account for his 4.7% of each organization’s active API collection. These endpoints are deployed for a variety of reasons, from software testing purposes to use as connectors to third-party services. Problems arise if these API endpoints are not properly cataloged or managed. Businesses should be concerned about shadow APIs because they typically have access to sensitive information, but no one knows where they reside or what they are connected to. A single shadow API can lead to compliance violations and regulatory fines, or worse, motivated cybercriminals can exploit it to access your organization’s sensitive data.
- Deprecated APIs: Deprecating API endpoints is a natural progression in the software lifecycle. As a result, software is updated at a rapid and continuous pace, so the existence of deprecated APIs is not uncommon. In fact, Imperva estimates that deprecated APIs account for an average of 2.6% of an organization’s collection of active APIs. When an endpoint is deprecated, services that support such endpoints are updated and requests to the deprecated endpoint fail. However, if services are not updated and APIs are not removed, endpoints become vulnerable due to lack of required patches and software updates.
- Unauthenticated API: Uncertified APIs are often introduced as a result of misconfigurations, oversights caused by a rushed release process, or the relaxation of strict certification processes to accommodate older versions of software. These APIs account for an average of 3.4% of an organization’s active API collection. The presence of unauthenticated APIs poses a significant risk to organizations as sensitive data and functionality can be exposed to unauthorized users, potentially leading to data breaches and system manipulation.
To reduce the various security risks posed by API mismanagement, we recommend conducting regular audits to identify unmonitored or unauthorized API endpoints. Continuous monitoring can help detect attempts to exploit vulnerabilities related to these endpoints. Additionally, developers should regularly update and upgrade their APIs to ensure that deprecated endpoints are replaced with more secure alternatives.
How to secure your API
Imperva provides several recommendations to help organizations improve their API security posture.
- Discover, classify, and inventory all your APIs, endpoints, parameters, and payloads. Use continuous discovery to always maintain an up-to-date API inventory and disclose sensitive data exposure.
- Identify and secure sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints that are vulnerable to unauthorized authorization and authentication and excessive data leakage.
- Establish a robust monitoring system for your API endpoints to proactively detect and analyze suspicious behavior and access patterns.
- Adopt an API security approach that integrates a web application firewall (WAF), API protection, distributed denial of service (DDoS) prevention, and bot protection. Comprehensive mitigation options provide flexibility and advanced protection against increasingly sophisticated API threats, including business logic attacks. These threats are particularly difficult to defend against because they are unique to each API.
