APIs, Web Applications Under Siege as Attack Surface Expands
Attackers are increasingly targeting web applications and APIs, with a nearly 50% year-over-year growth in web attacks, driven by the increased adoption of these technologies, which significantly expanded organizational attack surfaces, according to an Akamai report.
During this period, a staggering 108 billion API attacks were recorded, highlighting the dramatic rise in attempts to exploit these interfaces for accessing valuable data.
The report noted these attacks pose significant risks, including fraud, financial losses and regulatory sanctions.
Distributed denial of service (DDoS) attacks targeting critical Layers 3, 4, and 7 were particularly disruptive, capable of causing downtime and business interruptions.
Popular attack methods included local file inclusion (LFI), cross-site scripting (XSS), SQL injection (SQLi), command injection (CMDi) and server-side request forgery (SSRF), all of which saw significant increases.
The research also pinpointed commerce, high technology and social media as the industries most frequently targeted by application layer DDoS attacks, with more than 11 trillion attacks recorded over 18 months.
Commerce organizations experienced the highest volume of web attacks, more than double those faced by the technology sector.
This vulnerability is attributed to the commerce industry’s reliance on web applications and APIs, coupled with pressures to rapidly bring products to market, often at the expense of robust security measures.
The report added that the surge in attacks in June 2023 indicated a possible link to geopolitical events.
Strong Governance, Integrated Testing
Eric Schwake, director of cybersecurity strategy at Salt Security, advised organizations to implement a comprehensive approach to API security, including strong API governance.
“This entails keeping an updated inventory of all APIs, evaluating their potential risks and consistently applying security protocols across all APIs,” he said.
Additionally, it’s crucial to establish robust authentication and authorization measures, conduct regular security assessments and employ runtime protection to identify and prevent attacks in real-time.
He added integrating API security testing earlier in the development process — shifting security left — is also essential.
Schwake pointed out attackers often focus on vulnerabilities such as broken authentication, excessive data exposure and injection flaws.
“Organizations should prioritize strong input validation, proper error handling and precise access controls to address these issues,” he said.
Implementing measures like rate limiting and monitoring for unusual traffic patterns can help detect and prevent API abuse.
Due to the high volume of API traffic, it’s important to have solutions that can sift through anomalous traffic to identify truly malicious activity, often through advanced AI-based detection techniques.
“Establishing API posture governance can help identify and fix misconfigurations or vulnerabilities before attackers exploit them,” Schwake said.
Joni Klippert, co-founder and CEO at StackHawk, said AppSec teams must first understand what applications and APIs exist in their organization’s attack surface.
“The adage ‘you can’t secure what you don’t know about’ is absolutely true and necessary to mitigate the rising number of attacks,” she said. “Getting a comprehensive understanding of the apps and APIs in your attack surface is not a once-and-done process either.”
Developers are pushing out new code and expanding attack surfaces daily, so AppSec teams need a way to keep up, requiring a reliable and continuous discovery process.
Klippert explained starting the discovery process internally instead of waiting for network traffic to inform the organizations allows AppSec teams to secure new assets before they are exposed and become vulnerable.
API Security Challenges Continue
Scott Gerlach, co-founder and CSO at StackHawk admitted API security continues to be challenging due to the rapid pace of development outpacing available security resources, leading to overlooked vulnerabilities.
“The security teams’ limited visibility during development and playing catch-up with new and existing APIs further emphasizes risks,” he said.
Organizations can make API security more attainable by fostering collaboration between security and engineering teams and utilizing code-generated API documentation for accurate testing.
They should also integrate security tests early in development pipelines, provide developers with contextual vulnerability information and automate routine security tasks.
“This approach enables a proactive security strategy, minimizes vulnerabilities, and allows security teams to focus on complex testing, enhancing the organization’s overall API security posture,” Gerlach said.