Application programming interfaces (APIs) have become a significant part of the modern-day internet infrastructure, providing seamless integration of different software applications. However, they have also become a prime target for cybercriminals. A recent Akamai report, “Lurking in the Shadows: Attack Trends Shine Light on API Threats,” reveals that 29% of web attacks over the past year targeted APIs, making them a substantial cybersecurity threat.
A study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents most global businesses as much as $75 billion each year.
In the U.S., the annual API-related cyber loss is estimated between $12 billion and $23 billion.
Standard API attack techniques include HTTP protocol, SQL injection, and data harvesting. Verticals such as commerce, business services, digital media, video media, and the public sector receive the highest percentage of API attacks. API security issues can arise from shadow endpoints, unauthenticated resource access, and even seemingly harmless data in URLs.
Moreover, the report illuminates several case studies highlighting loyalty fraud, API abuse in SaaS notification services, a potential broken object level authorization attack, and a carding attack. Such real-world examples underpin the seriousness of API threats and the immediate need for robust protections.
Enhancing Your API Security
So, how can enterprises protect themselves from these increasingly sophisticated API attacks? The first crucial step is improving visibility into enterprise API estates. Businesses can considerably strengthen their API security coverage by discovering shadow APIs and addressing potential security risks.
Effective defense against API attacks also requires thorough situational awareness. This includes integrating all APIs into the broader security program and continuously monitoring for attack attempts, vulnerabilities, and potential abuse. Enterprises should conduct pen tests and red team exercises, focusing on testing authentication, exposed data, and runtime issues.
Complying With Regulations
Another vital aspect is compliance with regulations like the European Union’s Global Data Protection Regulation and the upcoming Payment Card Industry Data Standard v4.0. Adhering to these regulations not only ensures compliance but also offers a level of security protection for customers’ data.
The Akamai report further emphasizes the need for new tools, skills, and staffing to support API security efforts.
Enterprises should consider reallocating engineering hours or even adopting managed services to maintain and enhance API defense capabilities. Continuous tracking and comprehensive analysis of cybersecurity measures are vital in identifying areas for improvement and tightening the overall security plan.
Be Proactive, Vigilant, and Resilient
API security is an area that businesses cannot afford to neglect. The rising tide of cyber threats targeting APIs calls for enterprises to be proactive, vigilant, and resilient. Prioritizing API security and implementing the recommendations outlined in the “Lurking in the Shadows” report can provide businesses with the edge they need to better protect their data, customers, and reputation.
