A third of web attacks targeted APIs in 2023, threatening the expanding API economy

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai.

The commerce sector experienced the highest number of attacks, accounting for about 44%. Business services followed at nearly 32%. Attacks ranged from Local File Inclusion (LFI) and SQL Injection (SQLi) to Cross-Site Scripting (XSS).

Akamai’s findings underscore the escalating concerns in the industry surrounding API security threats. In 2021, Gartner predicted API abuse and data breaches would double by 2024. In 2023, the Open Web Application Security Project (OWASP) released a dedicated list of API-specific risks, highlighting the growing concern.

“APIs are increasingly critical to organizations, but their security is often not designed into the capability, or the security team is not able to keep up with the rapid deployment of new technology,” Steve Winterfeld, advisory CISO of Akamai, said in the State of the Internet (SOTI) report.

Key problems to address

APIs are pivotal in developing new capabilities within companies. However, their security often receives inadequate attention, either overlooked in early planning stages or failing to match the pace of rapid technological deployment.

Akamai pointed out two distinct issues in this regard — posture and runtime problems.

API implementation flaws in an enterprise can lead to posture problems. Most common among them include shadow endpoints, unauthenticated resource access, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and excessive client errors.

Runtime problems, on the other hand, are active threats demanding immediate action. These include unauthenticated resource access attempts, API activity with unusual JSON payloads, path parameter fuzzing attempts, illogical API timestamps, geolocation, or sequence, and data scraping. 

Recommendations for threat mitigation

Adopting a comprehensive API security program provides organizations with unparalleled visibility across their digital ecosystem. This includes discovering all APIs within the organization, auditing their risk levels, detecting abnormal behaviors indicative of abuse, and enabling expert-led investigations to hunt for hidden threats.

Such a layered approach is crucial for identifying vulnerabilities and safeguarding against potential breaches, ensuring a robust defense in the face of evolving cyberthreats.

“This includes putting all APIs behind security controls and having automated responses to mitigate attacks or to alert the security operations team,” the report said. “Next, practicing shift-left testing during development can address these vulnerabilities and weaknesses at the onset, before attackers can exploit them. Finally, you need to run exercises to validate both preventive measures and crisis response.”

Akamai has also advised adherence to select regulations to enhance API security. While specific laws governing APIs may be limited, certain frameworks are worth considering. These include the General Data Protection Regulation (GDPR), the newly updated Payment Card Industry Data Security Standard (PCI DSS) version 4.0, and the guidelines established by the American National Standards Institute (ANSI).

Regional differences in attacks

The report showed some interesting global trends as well. The Europe, Middle East, and Africa (EMEA) region experienced the most attacks, at 47.5 %. North America came second, at 27.1%, and the Asia-Pacific and Japan region was third, at 15 %.

At the country level, the top areas were Spain at 94.8%, Portugal at 84.5%, the Netherlands at 71.9%, and Israel at 67.1%. In comparison, only 27.6% of web attacks in the US targeted APIs.

“There are a number of reasons for differences in regional attacks, such as regulatory environments, geopolitical conflicts, infrastructure types, access and education variations, business models, and social factors,” the report said. “However, it is also important to note that you can see a cyberattack trend start in one region or industry, then migrate to others.”