Attackers exploit APIs faster than ever before
After combing through 350,000 reports to find 650 API-specific vulnerabilities from 337 different vendors and tracking 115 published exploits impacting these vulnerabilities, the results clearly illustrate that the API threat landscape is becoming more dangerous, according to Wallarm.
API attack analysis for 2022
Researchers came to this conclusion based on the 2022 data, specifically these three trends:
In 2022 there was a huge increase in attacks against Wallarm’s customers’ APIs, which ballooned over 197% from H1 to H2. As API-related breaches influence today’s headlines, it’s clear that this trend is extrapolating beyond Wallarm customers and will continue to grow in 2023.
In 2022 there was a significant increase in API-related CVEs, growing +78% from H1 to H2. Although growth has stabilized over the past two quarters, the research team expects an increase in 2023.
Since tracking this metric in Q2 2022, the research team has seen a continued decline in the average time between when a CVE is published and when the related exploit POC is published – from 58 days (Q2) to four (4) days (Q3) to negative three (-3) days (Q4).
Additionally, the average zero-day exploit found in Q4 was released more than two months before the CVE was published.
“It’s obvious from recent news about mega breaches involving APIs, such as Optus and T-Mobile, that the API threat landscape is becoming more dangerous,” said Ivan Novikov, CEO of Wallarm.
“In this report, our research team provides API security practitioners and executives with data-driven insights into how to improve their API security posture in 2023. Briefly, we found that API threats tripled in 2022 with exploits available before we even know about the vulnerability, that the current OWASP API Security Top 10 list does not accurately reflect reality where Injections are the primary attack vector, and that open-source software, especially DevOps and cloud-native tools used to build new companies and technologies, is a growing target. Overall, the traditional approaches to protecting your APIs need to adapt to these new realities,” Novikov concluded.
Based on the research, the research team has concluded that API portfolios will be at greater risk in 2023 as organizations struggle to improve API security, both during the development cycle and in production.