Properly securing APIs is becoming increasingly urgent

Imperva released a new study that uncovers the rising global costs of vulnerable or insecure APIs. The analysis of nearly 117,000 unique cybersecurity incidents estimates that API insecurity results in $41-$75 billion of losses annually.

The study, conducted by the Marsh McLennan Cyber Risk Analytics Center, found that larger organizations were statistically more likely to have a higher percentage of API-related incidents. In fact, enterprises with revenues of at least $100 billion were 3-4x more likely to experience API insecurity than small or midsize businesses. The data suggests that large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as these mature organizations accelerate digital transformation.

An API is the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes. The volume of APIs used by businesses is growing rapidly; nearly half of all businesses have between 50-500 deployed, either internally or publicly, while some have over a thousand active APIs.

Many APIs connect directly to backend databases where sensitive data is stored. As a result, hackers are increasingly targeting APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information. Today, as many as 1 in every 13 cyber incidents can be attributed to API insecurity. As the number of APIs in production multiplies, this figure is expected to grow in the coming years.

The study also discovered substantial disparities between industries. IT, professional services, and retail are most likely to suffer API-related security incidents:

“Without a strategy for addressing API security, businesses around the world will continue losing incredible sums annually,” says Karl Triebes, SVP of Product Management; General Manager, Application Security, Imperva. “To mitigate the growing volume of API-related security threats, organizations need the ability to discover all the APIs in their environment, and to understand what data is flowing through each API.”

Recommendations for improving API security:

• Identify and classify data flowing through every API: Visibility is crucial for understanding the full schema of every API as well as identifying and classifying the data that flows through it so risks can be assessed.
• Automate discovery: APIs are produced quickly and modified often, making them a blindspot for many organizations. Through automation, organizations can eliminate rogue or shadow APIs. Further, by automating API inventory, the security team will have visibility into when developers modify APIs in production.
• Enable API governance: For organizations in highly regulated industries, an API governance model is crucial. This is only possible with visibility that extends beyond the API endpoint and into the underlying payload so sensitive data can be adequately protected.

“At the root of every API-related security incident is data,” added Triebes. “Protecting API requires a mindset shift; one that is focused on classifying data and understanding how data is accessed by every API in production. This approach requires security and development teams to work together to embed security into the development lifecycle. Until then, cybercriminals will continue to exploit vulnerable APIs to exfiltrate sensitive data in greater volumes.”