APIs have become a major player in web traffic, accounting for a whopping 71% according to a recent report by Imperva. This surge in API usage is also bringing with it a significant threat to corporate cybersecurity, as it expands the attack surface for cybercriminals.
The report, titled the Imperva State of API Security Report, highlighted that attacks on the business logic of APIs make up the largest share at 27%, followed by automation at 19%. Business logic attacks have been growing by 10% annually and can include malicious activities such as credential stuffing, fake account creation, and data scraping.
Imperva warned that these types of attacks can lead to financial losses and compromise the integrity of transactions, as they can be used to exfiltrate sensitive data or disrupt critical applications. The financial impact of such attacks can be extensive, resulting in increased spending on incident response, customer support, compliance challenges, and damage to a company’s reputation.
Additionally, the report noted a surge in account takeover (ATO) API attacks, with 46% of all ATO attacks targeting API endpoints last year. These attacks occur when threat actors exploit vulnerabilities in API authentication to gain unauthorized access to user accounts.
One of the challenges faced in securing APIs is the incomplete visibility that many organizations have of their API ecosystem. Imperva estimated that each enterprise account has an average of 29 shadow APIs that are undocumented or undiscovered.
“Discovering every API in your ecosystem, including those previously unidentified, including unauthenticated and shadow APIs, is a critical step in the path to securing APIs,” Imperva emphasized.
