API environments becoming hotspots for exploitation

A total of 29% of web attacks targeted APIs over 12 months (January through December 2023), indicating that APIs are a focus area for cybercriminals, according to Akamai.

API integration amplifies risk exposure for enterprises

APIs are at the heart of digital transformation in organizations. However, the existence of APIs heightens the risk exposure of businesses and poses a significant security challenge. Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%.

APIs are vital to most organizations because they improve both employee and customer experiences. Unfortunately, cybercriminals have leveraged this digital innovation and the rapid expansion of the API economy to create new opportunities for exploitation. These attacks will continue to spike as the demand for API use increases, and urges organizations to properly account for and secure their APIs.

Fraudsters are targeting loyalty program accounts as they contain valuable currency, such as points, miles, or credits, that is redeemable for real-world goods or cash.

Based on Akamai data, almost one-third of suspicious bot requests were aimed at APIs globally in 2023. Although not necessarily all malicious, these bot requests can be weaponized to conduct credential stuffing attacks and data scraping, which may lead to information theft.

Business logic abuse is a critical concern because it is challenging to detect abnormal API activity without establishing a baseline for API behavior. Organizations without solutions to monitor anomalies in their API activity are at risk of runtime attacks like data scraping — a new data breach vector that uses authenticated APIs to slowly scrape data from within.

The range of attacks on APIs includes tried-and-true methods like Local File Inclusion (LFI), Structured Query Language injection (SQLi), and Cross-Site Scripting (XSS) to infiltrate their targets.

Programming errors and configuration mistakes in API environments

Organizations need to think about compliance requirements and emerging legislation early in their security strategy process to avoid the need to re-architect.

The United States Securities and Exchange Commission (SEC), for example, has recently enacted new rules for public companies that require the disclosure of material security incidents, as well as detailed information about risks, security governance, and oversight. Around the world, companies are being fined for the failure to protect PII.

A common business problem present in most API environments is a programming error or a configuration mistake that is detected during the discovery phase of maturing their API security program. Although the majority of these errors are never exploited, the potential damage is apparent to security teams once they gain visibility into the API estate and the traffic running on each API.

Too often, applications and business processes involving APIs are initiated and deployed faster than security teams can evaluate their posture. This seems to make misconfigurations and vulnerabilities inevitable. Add to the mix the lack of API security expertise inside most organizations, and you have all the variables for an unpalatable security equation.

“APIs are increasingly critical to organizations but their security is often not designed into the capability, or the security team is not able to keep up with the rapid deployment of new technology,” said Steve Winterfeld, Advisory CISO of Akamai.

APIs are foundational for many of the new capabilities that companies are building — but, in most cases, the security of APIs is either not considered early enough in the planning process or not able to keep up with the rapid deployment of new technology.