2023 Predictions: Staying One Step Ahead in API Protection

January 19, 2023 | by Ameya Talwalkar

CQ 2023 Predictions

API Abuses and Related Data Breaches 

Gartner has said that API attacks would be the most common attack vector in 2022, resulting in data breaches for enterprise web applications. Gartner also predicts that by 2024, API abuses and related data breaches will double.  

For 2023, we don’t see any reason to doubt that APIs will continue to be a top target for attackers, resulting in theft, fraud, and business disruptions. The recent Optus Telecom API security incident shows new levels of analysis attackers are performing to understand how each API works, how they interact with each other, and what the expected outcome is. In another example of abusing the trust established by the API-host-to-user relationship, a local inventory search function used to enable Ulta Beauty customers to find and buy products nearby was hit by an attack that was 700X larger than average load. 

Demand for API Protection Solutions 

We predict a continued high demand for an API protection solution that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases. Recent reports support this notion, observing that with the rising incidence of malicious attacks on APIs, the demand for API security solutions will grow at a compound annual growth rate (CAGR) of 26.3% between 2022 and 2032, totaling around $10B in revenue by 2032.

Talent Shortage 

For 2023 we also predict that stretched IT security teams will continue to have insufficient time on their side to uncover API vulnerabilities. Adding insult to injury, we’ve observed that many security teams are put in a difficult situation of protecting their attack surface with constrained resources while dealing with the ongoing talent shortage. And attackers are sophisticated and relentless using advanced tools, such as artificial intelligence, machine learning, and automation. We predict they will increasingly be able to expedite—from weeks to days or hours—the end-to-end attack life cycle, from reconnaissance through exploitation. 

OWASP API Security Threats 

We’ll see continued security incidents and data breaches highlighting how attackers are leveraging Open Web Application Security Project (OWASP) categorized security gaps to execute their attacks. The techniques observed in these incidents mimic those outlined in the API Protection Report where attackers are actively mixing and matching the OWASP API security categorized threats to bypass common security controls. In the year ahead, we will see attackers evolve to use the unholy trinity of OWASP identified API security gaps. This combination will continue to involve three different tactics–Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9)–to bypass common security controls and achieve their end goal. The increased combination of these three threats indicates that attackers will be performing new levels of analysis to understand how each API works – including how they interact with one another and what the expected result will be. 

Shadow APIs 

Shadow APIs will continue to be the top threat challenging the industry. Attacks on shadow APIs are effective because they exploit innocuous mistakes in development and asset management control. These mistakes are frequently abused by bots, who rely on the lack of API visibility among the defenders. New research by the Cequence CQ Prime Threat Research team reported that 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.  

Consolidation of API Security Tool Vendors 

We also predict further consolidation of API security tool vendors in 2023. As we have seen of late, in attempts to offer end-to-end application protection, web application firewall (WAF) vendors have been acquiring bot management companies. Examples of this activity include Imperva and Distil Networks, and F5 and Shape. Now their customers are looking to protect APIs with point products from a set of API security vendors, leading to vendor fatigue and alert fatigue. As we shift from an investment environment that rewarded “growth at any cost” to “sustainable growth towards profitability”, numerous API security startups are going to find themselves with no better option than to get acquired. Enterprises still struggling with acute talent shortage, despite the deadlines of tech layoffs recently, will look for vendor consolidation. Vendors providing a complete, comprehensive platform or solution to todays growing application and API security challenges will be rewarded in 2023. Enterprise API security needs will only be met by a solution that covers the entire API protection lifecycle which involves achieving visibility into all APIs, including public-facing, internal and unmanaged, and the mitigation of API vulnerabilities, ensuring API compliance, and the detection and prevention of attacks on APIs.

Regulatory Scrutiny of API Security 

With the increasing number of high-profile breaches, we predict that there will be increased regulatory scrutiny of API security, resulting in more government regulations and industry certification requirements. For example, if a business uses APIs that carry any information regarding payment cards, that business and its technical partners must support these APIs to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). In 2022 PCI DSS was updated to add more information and direction around the requirements to develop and maintain secure systems and software.  

In Australia, recent data breaches have put a spotlight on API vulnerabilities, possibly driving the Australian Cyber Security Centre (ACSC) to add them to its influential Information Security Manual (ISM). The latest edition of the ISM, published by the ACSC, adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorized for release into the public domain.” 

Targeting Telecom 

In the light of data breaches in the telecommunications segment, we predict that in 2023, threat actors will seek to build off this momentum to exploit telecommunications companies that lack visibility into APIs due to their many sub-companies and partners. As telecom companies adopt new technologies, and associated use of APIs, we predict the potential for data breaches in these businesses that will impact millions of users’ information and result in theft, fraud, and disruption. 

The Good News: API Protection Solution 

While some of these predictions may seem dire or overwhelming to stretched IT security teams, there is good news. Cequence has taken the approach that an effective API protection solution can protect APIs across the entire lifecycle, leveraging a collaborative effort that includes developers, application owners and the security team to accomplish the following: 

Unified API Protection

For 2023, you can ensure an effective API protection program, and Cequence Security is here to help you start your journey beginning with an API security assessment.  

Schedule Your Free API Security Assessment


Join Aakash Tiwari, Security Engineer at Cequence on Thursday, January 31
st, where he will discuss what to look out for to ensure your APIs are protected.

Register Now:
US friendly time zone click here
EMEA friendly time zone click here  

 

Ameya Talwalkar

Author

Ameya Talwalkar

President, Chief Executive Officer & Founder

Additional Resources