APIs Serve as the Backbone of Internet Traffic and Present Opportunities for Cybercriminals

Application Programming Interfaces (APIs) play a vital role in facilitating digital transformation by enabling the exchange of data between applications and databases. According to the 2024 State of API Security Report by Imperva, a Thales company, APIs accounted for a significant portion of internet traffic, comprising 71% of all web traffic in 2023. Additionally, a typical enterprise website recorded an average of 1.5 billion API calls during the same period.

The substantial volume of internet traffic flowing through APIs raises concerns for cybersecurity professionals. Despite efforts to implement robust security measures, APIs are often integrated into production environments without adequate classification, verification, or scrutiny. On average, organizations maintain 613 API endpoints in production, a number that continues to grow rapidly as the demand for efficient digital services intensifies. Over time, these APIs can become vulnerable endpoints susceptible to exploitation.

Imperva’s report highlights APIs as a common target for cybercriminals due to their direct access to sensitive data. A study conducted by the Marsh McLennan Cyber Risk Analytics Center suggests that API-related security incidents incur an annual cost of up to $75 billion for global businesses.

Increased API Usage Presents Security Challenges Across Industries

Industries such as banking and online retail reported the highest volumes of API calls in 2023, reflecting their reliance on extensive API ecosystems to deliver digital services to customers. Consequently, financial services, including banking, emerged as primary targets for API-related attacks during the same period.

Cybercriminals employ various tactics to exploit API endpoints, with Account Takeover (ATO) being a prevalent method. ATO attacks involve leveraging vulnerabilities in API authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints, often executed through automated means such as malicious bots. Successful attacks can result in account lockouts, data breaches, revenue loss, and regulatory non-compliance, posing significant risks to organizations managing sensitive customer data.

Identifying and Mitigating API Security Risks

Mitigating API security risks presents a considerable challenge, exacerbated by the rapid pace of software development and the lack of mature tools and processes. Imperva identifies three common types of mismanaged API endpoints: shadow APIs, deprecated APIs, and unauthenticated APIs.

Shadow APIs, also known as undocumented or undiscovered APIs, constitute approximately 4.7% of an organization’s active API collection. These endpoints, often overlooked and outside the purview of security teams, pose significant risks as they may provide unauthorized access to sensitive data without proper oversight.

Deprecated APIs, accounting for around 2.6% of active APIs, represent another security challenge. Failure to update or remove deprecated endpoints leaves them vulnerable to exploitation due to the absence of necessary patches and updates.

Unauthenticated APIs, making up approximately 3.4% of active APIs, are particularly concerning as they expose sensitive data and functionality to unauthorized users, potentially leading to data breaches and system manipulation.

To address these challenges, organizations are advised to conduct regular audits to identify and monitor API endpoints effectively. Continuous monitoring helps detect suspicious activities and access patterns, while developers should prioritize updating and upgrading APIs to replace deprecated endpoints with more secure alternatives.

Enhancing API Security Measures

Imperva recommends several strategies to bolster API security:

1. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads to maintain an up-to-date API inventory and identify sensitive data exposure.
2. Identify and prioritize protection for high-risk APIs vulnerable to authentication vulnerabilities and excessive data exposure through risk assessments.
3. Establish robust monitoring systems to actively detect and analyze suspicious behaviors and access patterns.
4. Adopt a comprehensive API security approach incorporating Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection to mitigate various API threats effectively, including business logic attacks.

By implementing these measures, organizations can strengthen their API security posture and mitigate the risks associated with the increasing reliance on APIs in modern digital environments.