Akamai launched a analysis into the evolving threat landscape for utility programming interfaces (APIs), which in keeping with Gartner would be the most frequent on-line assault vector by 2022.
APIs are inherently designed to be quick and straightforward pipelines between totally different platforms. Whereas this precedence on comfort and consumer expertise leads APIs to be extremely important to many companies, it additionally makes them interesting targets for cybercriminals.
API safety considerations typically not addressed
The report highlights the irritating patterns of API vulnerabilities, regardless of the enhancements which were made in Software program Improvement Life Cycles (SDLCs) and testing instruments. Usually, API security is relegated to an afterthought within the rush to deliver them to market, with many organizations counting on conventional community safety options that aren’t designed to guard the extensive assault floor that APIs can introduce.
“From damaged authentication and injection flaws, to easy misconfigurations, there are quite a few API safety considerations for anybody constructing an internet-connected utility,” stated Steve Ragan, Akamai safety researcher and creator of the State of the Web / Safety report.
“API assaults are each underdetected and underreported when detected. Whereas DDoS assaults and ransomware are each main points, assaults on APIs don’t obtain the identical degree of consideration, largely as a result of criminals use APIs in ways in which lack the splash of a properly executed ransomware assault, however that doesn’t imply they need to be ignored.”
It’s not at all times clear the place API vulnerabilities stay. For instance, APIs are sometimes hidden inside cell apps, resulting in the assumption that they’re resistant to manipulation. Builders make the belief that customers will solely work together with the APIs by way of the cell consumer interface (UI), however, as famous on this report, that’s not the case.
Chris Eng, Chief Analysis Officer at Veracode said, “Examine the OWASP High 10 to the OWASP API Safety High 10. The latter purports to handle the ‘distinctive vulnerabilities and safety dangers’ of APIs, however look intently and also you’ll see all the identical internet vulnerabilities, in a barely totally different order, described with barely totally different phrases. So as to add extra gasoline to the fireplace, API calls are simpler and quicker to automate (by design!) — a double-edged sword that advantages builders in addition to attackers.”
Spikes in assault site visitors level to continued API vulnerabilities
Additionally detailed within the report, 18 months of assault site visitors between January 2020 and June 2021 have been reviewed, discovering greater than 11 billion whole tried assaults. With 6.2 billion makes an attempt on report, SQL Injection (SQLi) stays on the high of the online assault trending checklist, adopted by Native File Inclusion (LFI) with 3.3 billion, and Cross-Website Scripting (XSS) with 1.019 billion.
Whereas troublesome to pinpoint the above assaults by way of the share of purely API assaults, the Open Net Software Safety Undertaking (OWASP) lately launched an API Security Top 10 list.
Further report highlights embrace:
- Credential stuffing assaults tracked throughout the 18 months between January 2020 and June 2021 remained regular, with single day peaks of over 1 billion assaults recorded in January 2021 and Could 2021.
- The U.S. was the highest goal for internet utility assaults throughout this noticed interval, with almost six occasions the quantity of site visitors than England, which ranked second. The U.S. was additionally within the high spot on the supply checklist for assaults, taking first place away from Russia, with nearly 4 occasions the quantity of site visitors.
- DDoS site visitors has remained constant in 2021 to this point, with peaks recorded earlier in Q1 2021. In January 2021, 190 DDoS occasions had been recorded in a single day, adopted by 183 in March.