By Ivan Novikov

Application Programming Interfaces (APIs) have become the backbone of modern enterprises, facilitating seamless communication between both internal systems and external partners.

As organizations increasingly rely on APIs, the number of APIs in use has dramatically increased. Since attackers follow the attack surface, this growth in API usage has not gone unnoticed. The concentration of critical business logic and sensitive data flowing through APIs makes them an attractive target for malicious actors aiming to exploit vulnerabilities for financial gain, data theft, or service disruption.

Focused on API security, Wallarm’s API ThreatStats report gathers all the available data on API-related cybersecurity incidents and vulnerabilities for analysis. Additionally, the report identifies and tracks the trends that impact organizations.

Q3 API security incidents

Not surprisingly, Q3 2024 saw an increased number of API related cybersecurity incidents. APIs continue to be at the heart of some of the largest and most impactful breaches we’re seeing. In the last quarter, Deutsche Telekom topped the list by exposing 252 million users due to unauthenticated API access. Other key incidents included:

•Hotjar and Business Insider exposed 80 million users due to client-side API issues (cross-site scripting and OAuth mismanagement).

•Fractal exposed the sensitive personal information of 6,300 customers due to an insecure API script.

•ExploreTalent’s authorization issues in a misconfigured API disclosed 11.4 million user records.

•Metro Pacific Tollways Corporation (MPTC) suffered an API leak affecting nearly 1 million records, including sensitive API logs.

These incidents are telling because they span multiple industries. API security issues aren’t limited to technology companies or any specific sector. APIs are used across various industries, and therefore, the API security incidents impact all industries, from telecom to tollways.

In terms of root causes, these incidents show that authentication and authorization continue to be problematic for APIs. The systems designed to protect the data behind these APIs are consistently and successfully under attack.

Finally, it’s notable that many of these incidents were driven by client-side API vulnerabilities. The OWASP API Top 10 is an industry-standard list of API related issues, focusing on server-side security. Attackers appear to be taking advantage of the blind spot represented by client-side issues like cross-site scripting.

Q3 API security trends

Wallarm’s analysis of the API related vulnerabilities provides valuable insight into the most important trends for API security. Q3 saw the largest number of API-related vulnerabilities since we began this analysis at the beginning of 2022. 469 vulnerabilities were analyzed for Q3 2024, compared to 388 in the previous quarter, a 21% increase. In the first edition of this report for Q1 2022, there were 48.

The scale of the problem continues to grow. Notably, 45% of these issues scored a 7.5 on the Common Vulnerability Scoring System (CVSS), indicating that API vulnerabilities skew towards higher risk overall. Not only are the number of vulnerabilities increasing, they are bringing increased risk to organizations.

Additionally, the analysis breaks down the vulnerabilities based on the affected type of software, with enterprise software from vendors like Oracle, VMWare, and Cisco topping the list at 39.6%. DevOps tools took the second spot at a close 36.2%. API related vulnerabilities impact enterprise organizations doing their own development most.

Key takeaways

The key takeaways for the API ThreatStats report differ, depending on your role.

CISOs should focus more on strategy than execution. Based on the Q3 analysis, comprehensive API discovery and robust authentication controls should figure prominently in their strategic objectives. These Initiatives are crucial, as unknown and poorly secured APIs can pose major vulnerabilities.

Novikov

CISOs shouldn’t overlook client-side API vulnerabilities, which are often ignored but have been shown to be exploited by attackers. While it seems like AI is everywhere, CISOs shouldn’t ignore the connection between APIs and AI in their strategic plans. These two technologies will grow together.

API Architects don’t have dramatically different priorities, but they need to focus on practical, implementable solutions as part of API architecture. Ensuring robust authentication across all APIs, for example, is paramount, as authentication is foundational for API security.

Grasping connections

Architects also need to translate some of those strategic directions down to the technical level. Implementing detailed input validation and output encoding to prevent injection attacks and data leaks will help remove API security risk. Finally, API architects who are implementing AI are best positioned to see the tight connections and build security in from the ground up.

Security practitioners shouldn’t be left out, as they are generally the executors of the CISOs strategic plans. Alignment here is key. Regular, comprehensive security assessments to identify and address vulnerabilities must be conducted proactively.

Monitoring and securing client-side applications should align with the CISO objectives. These practitioners should also stay informed about emerging threats and CVEs, keeping the CISO and the organization updated as the API threat landscape continuously evolves.

API security is a cross-functional responsibility. These recommendations are aligned, but must be applied at multiple levels within the organization. As noted, the API threat landscape continues to grow and organizations– from the CISO down– must be prepared.

About the essayist:  Ivan Novikov is the Chief Executive Officer of Wallarm, which supplies a unified, automated API security solution that works with any platform, any cloud, multi-cloud, cloud-native, hybrid and on-premise environment. 

October 29th, 2024 | Guest Blog Post | Top Stories