A third of web attacks targeted APIs in 2023, threatening the expanding API economy

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai. The commerce sector experienced the highest number of attacks, accounting for about 44%. Business services followed at nearly 32%. Attacks ranged from Local File Inclusion (LFI) and SQL Injection (SQLi) to Cross-Site Scripting (XSS).

Akamai’s findings underscore the escalating concerns in the industry surrounding API security threats. In 2021, Gartner predicted API abuse and data breaches would double by 2024. In 2023, the Open Web Application Security Project (OWASP) released a dedicated list of API-specific risks, highlighting the growing concern. “APIs are increasingly critical to organizations, but their security is often not designed into the capability, or the security team is not able to keep up with the rapid deployment of new technology,” Steve Winterfeld, advisory CISO of Akamai, said in the State of the Internet (SOTI) report.

APIs are pivotal in developing new capabilities within companies. However, their security often receives inadequate attention, either overlooked in early planning stages or failing to match the pace of rapid technological deployment. Akamai pointed out two distinct issues in this regard — posture and runtime problems.

API implementation flaws in an enterprise can lead to posture problems. Most common among them include shadow endpoints, unauthenticated resource access, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and excessive client errors.

Runtime problems, on the other hand, are active threats demanding immediate action. These include unauthenticated resource access attempts, API activity with unusual JSON payloads, path parameter fuzzing attempts, illogical API timestamps, geolocation, or sequence, and data scraping. 

Adopting a comprehensive API security program provides organizations with unparalleled visibility across their digital ecosystem. This includes discovering all APIs within the organization, auditing their risk levels, detecting abnormal behaviors indicative of abuse, and enabling expert-led investigations to hunt for hidden threats.

CSO Online​ 03/19/2024