Security News

While API security remains a top cybersecurity concern this year, there is still an alarming lack of implementation for most companies, according to Traceable AI. Companies overlook API security. With insights from more than 100 cybersecurity professionals, the study showed that though 69% of organizations claim to factor APIs into their cybersecurity strategy, 40% of companies do not have dedicated professionals or teams for API security, while 23% of respondents do not know if there is dedicated API security in their organization.

Hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. When you unpack this statistic, it becomes rapidly clear that APIs interact with all types of data - including sensitive data like credit card information, health records, social security numbers, etc.

In several high-profile incidents, application programming interfaces emerged as a primary attack vector, posing a new and significant threat to organizations' security posture, according to Cequence Security. "As attack automation becomes an increasingly prevalent threat against APIs, it's critical that organizations have the tools, knowledge and expertise to defend against them in real- time," Talwalkar added.

For the first time, mobile Safari was one of the leading self-reported user agents, while the volume of bots claiming to be mobile browsers increased 42.78%. In 2020 and 2021, bad bots became the pandemic of the internet as automation became more sophisticated. "Cybercriminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years," Triebes continued.

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before 'git push' operations are accepted, and it works with 69 token types detectable with a low "False positive" detection rate.

As highlighted by Postman's 2022 State of the API Report, "89% of respondents said organizations' investment of time and resources into APIs will increase or stay the same over the next 12 months," emphasizing the confidence in the growth of API development and deployment. SBOMs play a vital role in API risk evaluation and monitoring by providing visibility into the API's underlying components, making it easier to identify potential vulnerabilities and manage risks associated with third-party dependencies.

Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic.

75% of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the changing API attack surface, according to Data Theorem and ESG. Insecure APIs plague organizations. In a related finding, study results also revealed the majority of organizations have experienced at least one security incident related to insecure APIs in the last 12 months, while the majority of organizations have experienced multiple security incidents related to insecure APIs during the past year.

DDoS: DDoS attacks request a huge number of connections, to exhausts resources and potentially lead to a crash as the attack overwhelms both APIs and the backend systems that supply data to the APIs. Man in the middle attacks: MITM attacks occur when an outsider discreetly positions themself in a conversation between a user and an API endpoint, eavesdropping or impersonating one of the parties in a bid to steal or modify private data.

Content delivery network and cloud services provider Akamai, which recently acquired API security firm Neosec in a deal expected to close in the next two weeks, is joining the API security ecosystem. Akamai noted companies use an average of 1,061 apps and, to give a sense of the scope of attacks, noted that there were 161 million API attacks on Oct. 8, 2022 and peaked on Oct. 9.