API Abuses and Related Data Breaches
Gartner has said that API attacks would be the most common attack vector in 2022, resulting in data breaches for enterprise web applications. Gartner also predicts that by 2024, API abuses and related data breaches will double.
For 2023, we don’t see any reason to doubt that APIs will continue to be a top target for attackers, resulting in theft, fraud, and business disruptions. The recent Optus Telecom API security incident shows new levels of analysis attackers are performing to understand how each API works, how they interact with each other, and what the expected outcome is. In another example of abusing the trust established by the API-host-to-user relationship, a local inventory search function used to enable Ulta Beauty customers to find and buy products nearby was hit by an attack that was 700X larger than average load.
Demand for API Protection Solutions
We predict a continued high demand for an API protection solution that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases. Recent reports support this notion, observing that with the rising incidence of malicious attacks on APIs, the demand for API security solutions will grow at a compound annual growth rate (CAGR) of 26.3% between 2022 and 2032, totaling around $10B in revenue by 2032.
For 2023 we also predict that stretched IT security teams will continue to have insufficient time on their side to uncover API vulnerabilities. Adding insult to injury, we’ve observed that many security teams are put in a difficult situation of protecting their attack surface with constrained resources while dealing with the ongoing talent shortage. And attackers are sophisticated and relentless using advanced tools, such as artificial intelligence, machine learning, and automation. We predict they will increasingly be able to expedite—from weeks to days or hours—the end-to-end attack life cycle, from reconnaissance through exploitation.
OWASP API Security Threats
We’ll see continued security incidents and data breaches highlighting how attackers are leveraging Open Web Application Security Project (OWASP) categorized security gaps to execute their attacks. The techniques observed in these incidents mimic those outlined in the API Protection Report where attackers are actively mixing and matching the OWASP API security categorized threats to bypass common security controls. In the year ahead, we will see attackers evolve to use the unholy trinity of OWASP identified API security gaps. This combination will continue to involve three different tactics–Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9)–to bypass common security controls and achieve their end goal. The increased combination of these three threats indicates that attackers will be performing new levels of analysis to understand how each API works – including how they interact with one another and what the expected result will be.
Shadow APIs will continue to be the top threat challenging the industry. Attacks on shadow APIs are effective because they exploit innocuous mistakes in development and asset management control. These mistakes are frequently abused by bots, who rely on the lack of API visibility among the defenders. New research by the Cequence CQ Prime Threat Research team reported that 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.
Consolidation of API Security Tool Vendors
We also predict further consolidation of API security tool vendors in 2023. As we have seen of late, in attempts to offer end-to-end application protection, web application firewall (WAF) vendors have been acquiring bot management companies. Examples of this activity include Imperva and Distil Networks, and F5 and Shape. Now their customers are looking to protect APIs with point products from a set of API security vendors, leading to vendor fatigue and alert fatigue. As we shift from an investment environment that rewarded “growth at any cost” to “sustainable growth towards profitability”, numerous API security startups are going to find themselves with no better option than to get acquired. Enterprises still struggling with acute talent shortage, despite the deadlines of tech layoffs recently, will look for vendor consolidation. Vendors providing a complete, comprehensive platform or solution to todays growing application and API security challenges will be rewarded in 2023. Enterprise API security needs will only be met by a solution that covers the entire API protection lifecycle which involves achieving visibility into all APIs, including public-facing, internal and unmanaged, and the mitigation of API vulnerabilities, ensuring API compliance, and the detection and prevention of attacks on APIs.
Regulatory Scrutiny of API Security
With the increasing number of high-profile breaches, we predict that there will be increased regulatory scrutiny of API security, resulting in more government regulations and industry certification requirements. For example, if a business uses APIs that carry any information regarding payment cards, that business and its technical partners must support these APIs to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). In 2022 PCI DSS was updated to add more information and direction around the requirements to develop and maintain secure systems and software.
In Australia, recent data breaches have put a spotlight on API vulnerabilities, possibly driving the Australian Cyber Security Centre (ACSC) to add them to its influential Information Security Manual (ISM). The latest edition of the ISM, published by the ACSC, adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorized for release into the public domain.”
In the light of data breaches in the telecommunications segment, we predict that in 2023, threat actors will seek to build off this momentum to exploit telecommunications companies that lack visibility into APIs due to their many sub-companies and partners. As telecom companies adopt new technologies, and associated use of APIs, we predict the potential for data breaches in these businesses that will impact millions of users’ information and result in theft, fraud, and disruption.
The Good News: API Protection Solution
While some of these predictions may seem dire or overwhelming to stretched IT security teams, there is good news. Cequence has taken the approach that an effective API protection solution can protect APIs across the entire lifecycle, leveraging a collaborative effort that includes developers, application owners and the security team to accomplish the following:
- Outside-in discovery: Gain an understanding of your public-facing API footprint to see what an attacker may see.
- Inside-out inventory: Complement an external view of your APIs and related resources with a comprehensive inside-out API inventory, including all existing APIs and connections.
- Compliance monitoring: Continually analyze existing and new APIs to keep them in compliance with specifications such as the OpenAPI specification and ensure high API coding quality, consistency, and governance.
- Threat detection: Even perfectly coded APIs can be attacked, so it’s critical to continuously scanning your entire API inventory for threats, including subtle business logic abuses and malicious activity that has not yet been observed.
- Threat prevention: It’s critical to be able to respond quickly and natively with countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.
- Ongoing API testing: Integrate API protection into development to complement API security efforts defined by shift left efforts within the organization, so risky code doesn’t go live.
For 2023, you can ensure an effective API protection program, and Cequence Security is here to help you start your journey beginning with an API security assessment.
Join Aakash Tiwari, Security Engineer at Cequence on Thursday, January 31st, where he will discuss what to look out for to ensure your APIs are protected.
Never miss an update!