APIs were targeted by 29% of internet attacks in 2023, with cybercriminals exploiting the developing API economy to locate new attack paths, according to a report by Akamai.
The retail sector experienced the highest number of attacks, accounting for around 44%. Companies are left with about 32%. The attacks ranged from Local Log Inclusion (LFI) to SQL Injection (SQLi) and Cross-Site Scripting (XSS).
Akamai’s findings underscore the industry’s growing considerations about API security threats. In 2021, Gartner predicted that API abuse and knowledge breaches would double by 2024. In 2023, the Open Web Application Security Project (OWASP) published a committed list of API-specific risks, highlighting the developing concern.
“APIs are becoming increasingly critical for organizations, but their security isn’t built into their capabilities, or the security team isn’t able to keep up with the immediate deployment of new technologies,” said Steve Winterfeld, consulting CISO at Akamai, in the state of. Internet Report (SOTI).
APIs play a critical role in the progression of new functions within businesses. However, your security doesn’t get enough attention, either it’s overlooked in the early planning stages or you can’t keep up with the speed of out-of-the-box deployment.
Akamai identified two distinct problems in this regard: posture and execution issues.
Flaws in an enterprise’s API implementation can lead to posture issues. The most common ones include phantom endpoints, access to unauthenticated resources, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and more. the main consumer mistakes.
Execution issues, on the other hand, are active threats that require immediate action. These come with attempts to access unauthenticated resources, API activities with JSON payloads, attempts to confuse tracking parameters, illogical API timestamps, geolocation or sequencing, and knowledge extraction.
Adopting a comprehensive API security program provides organizations with unprecedented visibility into their virtual ecosystem. This includes finding all APIs within the organization, auditing their threat levels, detecting anomalous habits that indicate abuse, and the ability to conduct specialized investigations to look for hidden threats. .
This multi-layered technique serves to identify vulnerabilities and protect against potential breaches, ensuring a robust defense against evolving cyber threats.
“It’s about attacking all the APIs behind the security controls and having automated responses to mitigate the attacks or alert the security operations team,” the report says. “Second, practicing the progression of shift-left testing can help address those vulnerabilities and weaknesses early on, before attackers can exploit them. Finally, trainings should be organized to validate preventive measures and crisis response.
Akamai also urged compliance with certain API security regulations. While the express legislation governing APIs may be limited, there are some frameworks worth considering. These come with the General Data Protection Regulation (GDPR), the new Payment Card Industry Data Security Standard (PCI DSS) edition 4. 0, and rules set forth through the American National Standards Institute (ANSI).
The report also showed some compelling global trends. The Europe, Middle East and Africa (EMEA) region recorded the number of attacks, at 47. 5%. North America ranks second with 27. 1 percent, and Asia-Pacific and Japan rank third with 15. percent.
At the national level, the main regions were Spain with 94. 8%, Portugal with 84. 5%, the Netherlands with 71. 9% and Israel with 67. 1%. By comparison, in the United States, only 27. 6% of internet attacks targeted APIs.
“There are a number of reasons for differences in regional attacks, such as regulatory environments, geopolitical conflicts, types of infrastructure, diversifications in education, business models, and social factors,” the report says. “However, it’s also vital to keep in mind that a cyberattack trend can start in one region or industry and then migrate to others. “