What lies ahead for API security in 2023?
API Abuses and Related Data Breaches
Gartner has said that API attacks would be the most common attack vector in 2022, resulting in data breaches for enterprise web applications. Gartner also predicts that by 2024, API abuses and related data breaches will double.
For 2023, we don’t see any reason to doubt that APIs will continue to be a top target for attackers, resulting in theft, fraud, and business disruptions. The recent Optus Telecom API security incident shows the new levels of analysis attackers are performing to understand how each API works, how they interact with each other, and what the expected outcome is. In another example of abusing the trust established by the API-host-to-user relationship, a local inventory search function used to enable Ulta Beauty customers to find and buy products nearby was hit by an attack that was 700 times larger than the average load.
Demand for API Protection Solutions
Demand for API protection solution that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases will increase. Recent reports support this notion, observing that with the rising incidence of malicious attacks on APIs, the demand for API security solutions will grow at a compound annual growth rate (CAGR) of 26.3% between 2022 and 2032, totaling around $10B in revenue by 2032.
Talent Shortage
Stretched IT security teams will continue to have insufficient time on their side to uncover API vulnerabilities. Adding insult to injury, many security teams are put in a difficult situation of protecting their attack surface with constrained resources while dealing with the ongoing talent shortage. And attackers are sophisticated and relentless using advanced tools, such as artificial intelligence, machine learning, and automation. We predict they will increasingly be able to expedite—from weeks to days or hours—the end-to-end attack life cycle, from reconnaissance through to exploitation.
OWASP API Security Threats
We’ll see continued security incidents and data breaches highlighting how attackers are leveraging Open Web Application Security Project (OWASP) categorised security gaps to execute their attacks. The techniques observed in these incidents mimic those outlined in the API Protection Report where attackers are actively mixing and matching the OWASP API security categorised threats to bypass common security controls.
In the year ahead, we will see attackers evolve to use the unholy trinity of OWASP identified API security gaps. This combination will continue to involve three different tactics – Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9) – to bypass common security controls and achieve their end goal. The increased combination of these three threats indicates that attackers will be performing new levels of analysis to understand how each API works – including how they interact with one another and what the expected result will be.
Shadow APIs
Shadow APIs will continue to be the top threat challenging the industry. Attacks on shadow APIs are effective because they exploit innocuous mistakes in development and asset management control. These mistakes are frequently abused by bots, who rely on the lack of API visibility among the defenders. New research by the Cequence CQ Prime Threat Research team reported that 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.
Consolidation of API Security Tool Vendors
Further consolidation of API security tool vendors is also expected in 2023. As we have seen of late, in attempts to offer end-to-end application protection, web application firewall (WAF) vendors have been acquiring bot management companies. Examples of this activity include Imperva and Distil Networks, and F5 and Shape. Now their customers are looking to protect APIs with point products from a set of API security vendors, leading to vendor fatigue and alert fatigue.
As we shift from an investment environment that rewarded “growth at any cost” to “sustainable growth towards profitability”, numerous API security startups are going to find themselves with little option but to be acquired. Enterprises still struggling with acute talent shortage, despite the deadlines of tech layoffs recently, will look for vendors providing a complete, comprehensive platform or solution to today’s growing application and API security challenges.
Enterprise API security needs will only be met by a solution that covers the entire API protection lifecycle which involves achieving visibility into all APIs, including public-facing, internal and unmanaged, and the mitigation of API vulnerabilities, ensuring API compliance, and the detection and prevention of attacks on APIs.
Regulatory Scrutiny of API Security
With the increasing number of high-profile breaches, there will be increased regulatory scrutiny of API security, resulting in more government regulations and industry certification requirements. For example, if a business uses APIs that carry any information regarding payment cards, that business and its technical partners must support those APIs to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). In 2022, the PCI DSS was updated to add more information and direction around the requirements to develop and maintain secure systems and software.
In Australia, recent data breaches have put a spotlight on API vulnerabilities, possibly driving the Australian Cyber Security Centre (ACSC) to add them to its influential Information Security Manual (ISM). The latest edition of the ISM adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain.”
Targeting Telecom
In the light of data breaches in the telecommunications sector, threat actors will seek to build on this momentum to exploit providers that lack visibility into APIs due to their many sub-companies and partners. As telecom companies adopt new technologies, and associated use of APIs, the potential for data breaches in these businesses will increase, impacting millions of users and resulting in theft, fraud, and disruption.
The Good News
While some of these predictions may seem dire or overwhelming and risk overloading already stretched IT security teams, there is good news. API protection solutions are available that can help to protect APIs across their entire lifecycle, leveraging a collaborative effort that includes developers, application owners and the security team to accomplish the following. When selecting a solution, the business should look for the provision of:
• Outside-in discovery: To gain an understanding of its public-facing API footprint and to see what an attacker would see.
• Inside-out inventory: Complements the external view of the APIs and related resources with a comprehensive inside-out API inventory, including all existing APIs and connections.
• Compliance monitoring: Continually analyses existing and new APIs to keep them in compliance with specifications such as the OpenAPI specification and ensures high API coding quality, consistency, and governance.
• Threat detection: Even perfectly coded APIs can be attacked, so it’s critical to continuously scanning the entire API inventory for threats, including subtle business logic abuses and malicious activity that has not yet been observed.
• Threat prevention: It’s critical to be able to respond quickly and natively with countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.
• Ongoing API testing: Integration of API protection into development to complement API security efforts defined by shift left efforts within the organisation, thereby preventing risky code from going live.
