Expanding API Security Awareness at API World
As analysts and brands have validated in the last few years, API security should be a primary concern for organizations looking to protect vulnerable components of their security infrastructure. These concerns are reinforced by a 2022 study that discovered “95% of companies have had an API security incident in the past 12 months, with API attack traffic growing by 681%.”
The evolution of API attacks
In response to this industry trend, Akamai experts Sudhir Chepeni, Director of Application Security, and Patrick Sullivan, Vice President, CTO of Security Strategy, spoke at API World on October 26, 2022, and educated audiences on the evolution of API attacks so that organizations can implement more targeted security practices.
“A growing awareness of the importance of API security has been reinforced by the focus on security at API World,” Sullivan said. “This year, there was an entire API security track focusing on the various stakeholders that are a part of the API security process — I’ve not seen the same level of focus on API security in the past.”
Chepeni and Sullivan showed their audiences the wide range of types of API attacks that exist by discussing topics like the OWASP API Security Top 10 and the importance of development practices in API security. Much of their focus on these topics is driven by Akamai’s level of visibility.
Insights from visibility
In the last 30 days, Akamai has observed more than 5 trillion API calls being made on its network, more than 300 terabytes of API payload scans on a daily basis, and more than 17 million API attacks on the financial services industry in 7 days.
These signals led Chepeni and Sullivan to also address the various types of API attacks that are not commonly mentioned. Beyond APIs, Akamai provides bot and distributed denial-of-service (DDoS) protections that also give insight into the types of attacks being attempted across the network. Overall, this visibility means that our understanding of API security is informed by a wide range of signals.
Examples of attack types
DDoS attacks overwhelm a target API with fake traffic and can cause damage like:
Clogged internet pipes
Overwhelmed hardware
Overwhelmed web infrastructure
Overwhelmed DNS infrastructure
In other instances, attackers use bots for credential stuffing attacks that compromise API authentication processes. This issue is exemplified in the retail space — Akamai recently found that malicious bot activity jumped more than 55% during India’s Diwali shopping holidays.
The three overall principles of APIs
Overall, when it comes to APIs, Chepeni and Sullivan said there are three principles to keep in mind:
The future of stopping API attacks is visibility. Organizations need to know how their APIs are behaving even inside their firewall. They also need a security provider who has visibility into a large API ecosystem beyond their own, which will help protect their overall security posture.
APIs are growing. Not only are more and more APIs being created to meet business demands, but more and more API calls are being made. As a result, the attack surface is expanding, which introduces more risks.
APIs can be easily compromised. As APIs continue to be built and used to connect business functions, more flawed APIs exist in the system. With attackers actively searching for vulnerabilities, like some of those listed in the OWASP API Security Top 10, simple attacks now have more opportunity.
Wanted: a fast, engaging, and secure experience
We know that customers expect their digital experience to be consistently fast, consistently engaging, and completely secure. To achieve all that, we must know how to protect their APIs, which are at the center of the digital experience.
Reach out
In addition to protecting our current customers, Akamai threat researchers continue to analyze data daily to look for signs of new vulnerabilities. If you’d like to talk to us about our research, we would love to hear from you! You can reach us through the Contact Us page, or tweet us at @Akamai_Research.
