APIs Under Attack: $75 Billion Annual Cost

In a recent report titled “The State of API Security in 2024” by Imperva, it was revealed that the majority of internet traffic, approximately 70%, is attributed to API calls. In 2023, an average corporate website processed about 1.5 billion API calls annually, underscoring the role of technology as the “connective tissue” of digital modernization.

The vast volume of internet traffic coursing through APIs should be a matter of concern for every security professional. Despite concerted efforts to implement frameworks like shift-left and SDLC processes, API interfaces often proceed to production before being cataloged, authenticated, and verified.

On average, organizations have 613 API endpoints in production, a number that is rapidly increasing as the demand for faster and more efficient digital services to customers grows. Over time, these APIs can become perilous and vulnerable endpoints.

Moobot botnet

In its report, Imperva concludes that APIs are now a commonplace vector of attack for cybercriminals, as they offer a direct pathway to sensitive data. A recent study conducted by Marsh McLennan’s Cyber Risk Analytics Center in collaboration with Imperva shows that security incidents related to APIs cost the global business community $75 billion annually.

In 2023, the highest number of API calls were recorded in the banking sector and online retail, making financial services the primary target for API-related attacks. Cybercriminals employ various methods to attack API access points, including account takeovers, where they exploit vulnerabilities in API authentication processes for unauthorized access to accounts.

Improper API management presents unique challenges for security teams, partly due to the rapid pace of software development and the lack of mature tools and processes for collaboration between developers and security teams. As a result, nearly one in ten APIs is vulnerable to attacks due to improper management, lack of monitoring, or inadequate authentication control.

To mitigate security risks associated with improper API management, regular audits are recommended to identify uncontrolled or unauthenticated API access points. Continuous monitoring can help timely detect attempts to exploit vulnerabilities associated with these access points. Furthermore, developers should regularly update and modernize APIs to ensure that outdated endpoints are replaced with safer alternatives.

Imperva offers several recommendations for improving the protection of organizations’ APIs. Among them are:

  • Detecting, classifying, and inventorying all APIs, endpoints, parameters, and payloads. Using continuous detection to maintain an up-to-date inventory of APIs and identifying leaks of sensitive data.
  • Identifying and protecting sensitive and high-risk APIs. Conducting risk assessments specifically targeted at vulnerable API endpoints, especially those susceptible to authorization and authentication breaches, as well as excessive data exposure.
    – Establishing a robust monitoring system for API endpoints to actively detect and analyze suspicious behaviors and access patterns.
  • Implementing an API security approach that combines a Web Application Firewall (WAF), API protection, DDoS prevention, and bot protection. A comprehensive set of mitigation options offers flexibility and advanced protection against increasingly complex threats to APIs, such as business logic attacks, which are particularly challenging to defend against as they are unique to each API.

These measures can help organizations ensure a higher level of security for their digital infrastructure and protect against potential attacks by cybercriminals specifically exploiting API vulnerabilities.

Given the continuing growth in API usage, the importance of stringent security and proactive API management becomes even more evident as a task for preventing data breaches, unforeseen financial losses, and reputational damage.