2023 Predictions: API security demands a closer look

Over the course of 2023, application programming interface security will come into focus as more organisations continue their digitalisation journeys. Today's organisations rely on APIs to deliver digital services and key business initiatives.

API traffic has grown 168% in the past year alone, with APIs being developed, deployed and modified more quickly than ever before to streamline business processes and make customer experiences more seamless.

From payments and ‘sign-in with’ technology, to location services, price comparison websites or online banking, APIs serve as the glue that connects all of the critical data needed to run today’s new digitalised services. APIs are an inescapable facet of our online and mobile lives.

However, with API usage increasing at this unprecedented pace, hackers have a potentially wider attack surface to exploit, and because organisations rely on APIs to support digitalised services to connect customers and employees and deliver other potentially sensitive data to third parties, security must be paramount, especially in an age of increased regulation.

Traditional security solutions such as bot mitigation, WAFs and API gateways don’t offer adequate protection against today’s API attacks, which are ‘low and slow’, and can happen over days and even months.

Since attack activity looks like normal API traffic to these traditional tools, their architectural limitations mean that they are only able to inspect one transaction at a time while they depend on known attack pattern signatures. ‘One and done’ attacks such as these leverage known vulnerabilities – a technique that doesn’t transfer to APIs. Every API is unique and has its own unique business logic.

Cyber criminals must probe APIs over and over again to find business logic gaps they can exploit – hence the low and slow nature of an API attack. The problem here is that attackers looking to exploit APIs often use proprietary attack methods that attempt to find business logic flaws – these can be thought of as essentially a zero-day exploit, unique to the API itself.

Basic security controls, such as authentication, authorisation and encryption also fall short of meeting today’s API security challenges. Businesses need rich context to understand their growing API ecosystems and fully protect them. They must be able to understand what normal API behaviour looks like so they can automatically detect anomalies among millions of API calls. Without this depth of context, organisations place themselves at risk for API security breaches that can have catastrophic effects.

In the past 12 months, 94% of organisations experienced an API security incident in production with API attack traffic growing 117% in the same period. This makes dedicated API protection essential for companies to innovate in a highly competitive market while meeting their customers’ high expectations and remaining compliant.

    Share Story:


Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023

Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.