U.S. businesses face combined losses of $12 billion to $23 billion in 2022 due to compromises related to web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and computing methodologies. DevOps-like development, according to an analysis of breach data. .
Over the past decade, API security has become a significant cybersecurity issue. Recognizing this, the Open Web Security Application Project (OWASP) released a list of the top 10 API security issues of 2019, pointing out major API weaknesses – such as broken authorization for objects, weak authentication users and excessive data exposure – critical issues for software makers and enterprises that rely on cloud services.
According to this week’s Quantifying the Cost of API Insecurity report, released last week by application security firm Imperva and risk strategy firm Marsh McLennan, security concerns will only grow as APIs continue to grow. become a common model for cloud and mobile infrastructures. .
“The growing security risks associated with APIs correlate with API proliferation,” said Lebin Cheng, vice president of API security for Imperva. “The volume of APIs used by enterprises is growing rapidly – nearly half of all enterprises have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs.”
Interestingly, the business losses have less to do with API-specific issues, according to the analysis. On the contrary, breach recovery and business interruption account for the majority of cyber losses. Only a small subset of companies in any country suffered losses directly related to API vulnerabilities, according to the report.
API losses vary by industry
The Data from Marsh McLennan comes from reported breaches, which represents a subset of all companies. He found that when exploring the data, important differences between the impacts can be found.
For example, some types of businesses (large IT and professional services companies, for example) are much more likely than others to experience API-related security incidents (smaller businesses, example, the financial sector).
“The $12 billion is not split among millions of companies,” a spokesperson for Marsh McLennan said. “The number of hacked companies, especially due to API insecurity, is considerably lower.”
Small businesses face the highest absolute number of API security events, with most incidents affecting businesses with revenue under $50 million. Yet API-related incidents only accounted for about 5% of their total number of security incidents. Conversely, large enterprises with over $50 billion in revenue are at a much higher risk of API-related breaches, with at least 20% of their security events involving APIs.
To some extent, the increased risk for large enterprises is due to the attack surface growth caused by APIs, but large enterprises are also more attractive targets, says Imperva’s Cheng.
“The proliferation of APIs, combined with the lack of visibility into these ecosystems, creates opportunities for massive and costly data leaks,” he said. “These are issues that scale with the size of an organization. Larger organizations have more APIs in production, and limited visibility leaves more APIs vulnerable. This makes enterprises an attractive target.”
Similarly, companies in Asia had just over 100 API security events combined, and US companies had over 600 API security events. The large number of reported security events overall in the United States resulted in API incidents representing a much smaller slice of the pie – around 5% compared to over 15% for Asia.
How to deal with API security issues
Unlike other types of application vulnerabilities, API security weaknesses typically exploit authorization, authentication, or business logic issues. Exploiting APIs often results in access to data or the ability to bypass a permission check, Cheng says.
To avoid this, companies need to have better visibility into how they are using APIs and create a comprehensive inventory of API traffic on their network, he explains.
“API-related security incidents are sophisticated attacks that use a valid API token to exploit a vulnerability in business logic to gain access to the data layer,” Cheng explains. “Without the right visibility into the API schema or schema changes, organizations often don’t know if an API is compromised or what data is being exfiltrated through the compromised API.”
API attacks are usually the initial access vector of a larger campaign. So while the initial intrusion may seem uncritical, the end result could be widespread compromise, Cheng says.
“API abuse is often part of a larger campaign that involves online fraud, such as account takeover or automated scraping,” he says. “Organizations need protection against a range of attacks that a criminal can use to abuse the API and gain access to the underlying data. If the organization is only focused on protecting the endpoint of API, it neglects attacks on the application and/or business logic.