An application programming interface, better known by its punchier acronym API, is often just considered an emerging attack vector instead of an actually-very-prevalent one.
IT professionals and security leaders everywhere might be nodding their heads—or perhaps scratching them. Because while some orgs are very familiar with the damage APIs can cause, many aren’t.
That’s why Akamai, a leader in cloud computing, security, and content delivery solutions, is sharing a gold mine of insights in The 2024 Akamai API Security Impact Study.
So, what’s the consensus, the specific risk(s), and the steps organizations can take to better protect themselves against this modern challenge? We’re diving into Akamai’s study to highlight their findings.
Let’s get into IT.
APIs: The consensus
To fully explore the state of API protection, Akamai surveyed 1,207 leaders and practitioners not only in the US but also across the UK and (as of 2024) Germany. They surveyed a balance of:
- CISOs, CIOs, CTOs, senior security professionals, and AppSec teams at organizations ranging from under 500 to 1k+ people
- eight industries: financial services, retail/e-comm, healthcare, government/public sector, manufacturing, energy/utilities, and (again, as of 2024) automotive and insurance
Quite the breadth of voices. Yet the overwhelming majority agrees that:
- They’ve seen API security incidents rise for three consecutive years.
- They’re spending more than half a million dollars on average to address and recover from API-related incidents ($943,162 is the average financial impact, according to US C-suite respondents).
- They’re feeling the human toll of API incidents, with internal scrutiny, stress, and reputational damage being just as costly as literal $$$.
Respondents also indicated that the traditional tools they’ve relied on to protect APIs do not fully cover the risk. 84% of respondents reported experiencing an API security incident in the past 12 months, up from 78% last year.
So, what’s the hold up in tackling this clearly growing and ever-present threat? Well, it’s not exactly that simple.
Akamai’s findings allowed them to infer one key factor behind why API security strategies have yet to take greater priority despite such evidence: There’s likely a lack of alignment among key security stakeholders on the number, location, and risk attributes of APIs. This is due to poor visibility and no real, single source of truth.
Teams are already stretched thin handling other pressing threats (it’s like the Wild West out there). This probably takes up the majority of their budgets, focus, and efforts. The study also found that only 13% and 18% of respondents test their APIs daily and in real time, respectively, from API development through production.
Attack points and pointers
According to Akamai’s findings, attackers target four types of unmanaged APIs to access your data:
- Shadow APIs: Also known as undocumented APIs, these bad boys exist and operate outside of an org’s official monitored channels.
- Rogue APIs: These unauthorized or malicious APIs pose a security risk to a system or network.
- Zombie APIs: These include any APIs that have been left running even after being replaced by new versions or other APIs (and nobody wants to turn their back on an army of the undead).
- Deprecated APIs: Due to changes in the API, these are no longer recommended for use.
There are also APIs with known vulnerabilities that have yet to be patched, APIs with external exposures like credentials or keys, APIs with operator errors, and APIs with undiscovered vulnerabilities.
Akamai gauged that measuring inventories hasn’t been standardized enough to produce a single-source API count. It’s also pretty likely that more enterprises with full inventories don’t have full sensitive-data knowledge.
Knowing which APIs return sensitive data is always important, but a partial inventory can actually be the most dangerous. That motley crew of shadow, rogue, zombie, and deprecated APIs are highly targeted, poorly protected, and usually have no problem sneaking past traditional security tools.
With enterprises still relying on security products not built specifically for discovering and securing APIs—and still unable to define an API’s risk attributes—addressing these disconnects is a crucial first step.
Protect and defend
Now for the good stuff: solutions and defenses.
Let’s start with WAAP + API-specific protections. Designed to quickly identify and mitigate threats from a plethora of attack vectors, web application and API protection (WAAP) extends the traditional protections of a web application firewall (WAF). An API security solution working in tandem can extend protections even further beyond the firewall to foster the strongest defense possible. *Pumps fist.*
Also, if you test APIs in dev—frequently and efficiently, through automation—before they’re released to production, you place your organization, your developers, and your security team at an immediate advantage, in terms of lowering stress caused by unknown vulnerabilities and costs.
While testing isn’t gaining ground, IT and security professionals should begin considering this method to meet this growing attack vector head-on. To move to a more mature posture for API security, organizations can start with these steps, courtesy of Akamai:
- API discovery and viz: Seek out tools with an automated approach. Breadth is critical because unmanaged APIs are prime targets.
- Testing: Testing is ideally done prior to deployment, but it’s also important to test APIs already in production with real-time analysis.
- Full API documentation: Audit, audit, audit! This also helps orgs prepare for compliance mandates that involve API security.
- Runtime detection: An API solution with automated runtime detection helps spot behaviors that’ll help you differentiate between normal and abnormal API activity.
- Suspicious behavior monitoring: By integrating an API security solution with your existing security stack, you’ll foil high-risk behavior and traffic before it creates a jam.
- Vigilance: In the most mature API security stage, forensic analysis is leveraged to scan past data to learn whether alerts correctly identified threats, to enable proactive threat-spotting.
Keep an eye on APIs
Clearly, APIs aren’t just an emerging attack vector. They’re a deeply prevalent one. Luckily, industry leaders like Akamai are consistently gathering insights and pointers to help organizations of all sizes batten down the hatches against this modern threat.
Want more of Akamai’s expertise and tips when it comes to APIs? You can download the full version of The 2024 Akamai API Security Impact Study right here.
Turning the tide on APIs starts now.