Attacks on APIs are on the rise: organizations need to increase cybersecurity

By Eder Souza.

In August 2023, Duolingo, one of the world’s largest and most popular language learning apps, reported that data for 2.6 million users of its service (including names, email addresses, and more) had been leaked to a forum on the dark web.

Duolingo’s API for user account access only required an email address and had insufficient verification. This allowed an attacker with a large email database to execute script against the API and collect various account data once a matching email is found in their system.

According to a study published by Cequence, one of the leaders in providing technologies to protect APIs, Shadow APIs, i.e. APIs used individually by business areas and unknown to the rest of the company and used outside governance policy, have increased by 900%. Additionally, according to Cequence, attacks using unique techniques increase by 550% during the holiday seasons.

Verizon’s Data Breaches 2022 report reveals that the majority of attacks (74%) involve a human element and involve social engineering, bugs, or misuse of systems. More than 23,000 security incidents were analyzed and 5,200 breaches were verified.

The truth is that APIs play an important role in business right now. This is because it allows companies to run and integrate digital services across different technological environments with their management systems, shared services, and others. Without the interconnection of applications, business processes would be even more challenging.

If APIs have their advantages, they also present significant security challenges to ensure sensitive data is moved between a wide range of business applications.

What are the main security flaws in API usage?

A study by Datos Insights offers an in-depth analysis of leading API security solutions and provides market history, size, investment, API threats, and adopted standards. In this report we highlight the following findings:

Expansion of API Usage Is Surprisingly Common

A lack of management and oversight means many are brought into play with security issues. Encouraging cybercriminals to develop increasing numbers of zero-day attacksExploiting a software vulnerability that is unknown to the public or the software developer;

Compromised APIs produced more than a billion infected records

API usage is growing exponentially, and the sophistication of zero-day attacks results in hundreds of millions of records being compromised in a single incident.

Many API security solutions are expensive

Purchasing these tools requires a six-figure purchasing decision for most organizations. Starting price can start under $100k, but ARR (Annual Recurring Revenue) can grow rapidly It is based on use and adoption by other areas of companies.

Business impact of APIs

The Datos Insights report also points out that the average number of APIs used by organizations is between 15 thousand and 25 thousand and could reach 1.7 billion APIs by 2030. This makes these application connectors the main software component, and this is the main entry. It indicates potential cyber attacks.

Another problem is that companies don’t know what functions many of these APIs perform, how many versions there are, or whether they even exist. While APIs provide great power to application development and integration teams, on the other hand, introduces potentially serious security vulnerabilities. Cybercriminals are targeting APIs to capture data, and the numbers from the first study cited at the outset prove it.

This scenario is one of the reasons why the Datos Insights study cited API security as one of the current priorities for organizations of all sizes.

How to secure APIs?

Another finding of this Datos Insights study is that customers prefer solutions where the provider handles the majority of API protection. Additionally, most professionals have no experience with API security.

The optimal strategy is to delegate these tasks to teams specifically dedicated to protecting this API infrastructure through the SOC (cybersecurity operations center) as a service. Supporting technologies developed to provide visibility and analyze different behaviors in search of threats. As the research indicates, adopting a strategy like this can mean huge savings, especially on investments in expensive teams and technologies.

Generative AI support in securing APIs

Advances in generative AI capabilities are helping many organizations secure their APIs by creating low-code/no-code AI-powered workflows. This allows development teams to perform automated security testing of interconnected applications without relying on traditional CI/CD pipelines.

By using API protection tools powered by Generative AI, including SOC as a Service, organizations ensure software applications and APIs are better protected against breaches.

Of course, organizations need to increase their capacity to protect their sensitive data and bring systems connected via APIs into compliance with security policies. This requires constant monitoring, regular audits, and proactive measures to discover and manage fraudulent APIs; these capabilities help realize a custom SOC-as-a-Service framework.

****

Eder Souza is CTO at e-Safer.