Application programming interfaces (APIs) play a vital role in digital modernization by facilitating effective data exchange between applications and databases. According to The State of API Security in 2024 Report from Imperva, a Thales company, 71% of internet traffic in 2023 consisted of API calls. On average, an enterprise site witnessed 1.5 billion API calls in the same year.
Despite efforts to implement shift-left frameworks and SDLC processes, API security remains a concern as organizations often deploy APIs without proper cataloging, authentication, or auditing. With an average of 613 API endpoints in production, organizations are at risk of vulnerable endpoints due to the pressure to deliver digital services promptly. Cybercriminals view APIs as a valuable attack vector for accessing sensitive data, resulting in potential security breaches that could cost businesses up to $75 billion annually.
Increased API Calls Lead to More Vulnerabilities
In 2023, the highest volume of API calls was reported in the banking and online retail sectors, leading to increased API-related attacks, particularly in the financial services industry. Account takeover (ATO) attacks, where cybercriminals exploit API authentication vulnerabilities to gain unauthorized access, accounted for nearly half of all ATO attacks targeting API endpoints. Automated attacks by bad bots pose a significant threat, causing revenue loss, compliance violations, and customer data compromise.
The Security Risks of Mismanaged APIs
Mitigating API security risks is a challenge for security teams due to the rapid pace of software development and insufficient tools and processes for collaboration. Mismanaged APIs, including shadow, deprecated, and unauthenticated APIs, pose security threats to organizations. Shadow APIs, which account for 4.7% of APIs, can lead to compliance violations and data breaches when left unmanaged. Deprecated APIs, comprising 2.6% of APIs, become vulnerable if not updated, while unauthenticated APIs (3.4% of APIs) expose organizations to data breaches and unauthorized access.
To address API security risks, organizations should conduct regular audits to identify and monitor API endpoints. Continuous monitoring, updates, and authentication controls are essential to prevent vulnerabilities and data breaches.
Protecting Your APIs
Imperva recommends several measures to enhance API security:
- Discover and classify all APIs, endpoints, and payloads to maintain an updated API inventory and protect sensitive data.
- Identify and secure high-risk APIs vulnerable to Broken Authorization, Authentication, and Data Exposure.
- Implement a robust monitoring system to detect and analyze suspicious activities on API endpoints.
- Adopt an API Security approach integrating Web Application Firewall, API Protection, DDoS prevention, and Bot Protection to defend against sophisticated threats like business logic attacks.
