APIs are becoming a worrying security target - here's what your business can do to stay safe
Web Application Firewalls no longer cut it, Imperva argues
The number of API-targeted attacks rose significantly as they become a more attractive and reachable target, a new report from Imperva has said.
APIs, or Application Programming Interfaces, are software intermediaries that allow two applications to essentially talk to each other. Some of the biggest benefits of APIs are seamless connectivity, improved user experience, and innovation. For years now, API traffic has been outgrowing human traffic and last year, the researchers said, API traffic constituted more than 71% of all web traffic. This has turned the attention of cybercriminals, who sought to abuse the trend for different purposes.
That being said, attacks targeting the business logic of APIs constituted 27% of all attacks last year, which is also up by 10% compared to 2022. Account Takeover (ATO) attacks targeting APIs also rose, from 35% in 2022, to 46% in 2023.
Lucrative attacks
Elsewhere, the report claimed the average number of API calls to enterprise sites is 1.5 billion. The high volumes of non-human, automated traffic, are “undeniably” linked to the rise in automated attacks on APIs, the researchers added.
As a result, businesses need robust security measures to defend against things like Distributed Denial of Service (DDoS) attacks, or ATOs. In fact, 46% of all ATO attacks targeted API endpoints, they said. Finally, attackers are honing their strategies, and 28% of all DDoS attacks on APIs are going after financial services organizations.
Traditional security tools, like Web Application Firewalls (WAF), will not suffice, Imperva concludes. API attacks will adeptly masquerade as regular traffic, rendering these defense mechanisms useless.
Many IT professionals seem to agree with Imperva, as a recent Barracuda report found 55% stating attacks on APIs to be the most lucrative ones for criminals. Barracuda claims that "attackers will often target old vulnerabilities that security teams have forgotten about," and that "multiple layers" of security are needed to secure web apps and APIs.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Web apps and APIs were attacked more than ever last year
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.