APIs in Peril: API Attacks Increasing
March 13, 2024

The number and severity of API attacks and vulnerabilities are increasing according to the API ThreatStats™2024 Report from Wallarm — there was a 30% increase in API-related Common Vulnerabilities and Exposures (CVEs) and security bulletins in 2023 compared to 2022.

Additionally, malicious requests involving APIs that Wallarm blocked rose significantly from 54% in 2022 to 70% in 2023.

These attacks aren't going unnoticed by the public. Half of the top 20 most mentioned vulnerabilities in Google Searches are API-related, indicating growing public awareness and concern about API security.

"The growth in malicious API requests and rising public awareness of APIs in 2023 prove that API security is growing increasingly crucial for business leaders and cybersecurity professionals to prioritize in their digital security strategies," said Ivan Novikov, CEO of Wallarm.


Source: Wallarm

Injections and API leaks dominate top API security risks

Injections, which involve malicious data or code being inserted into an API that leads to unauthorized access and data breaches, nabbed the first spot on the "Top 10 API Security Risks for 2023" list.

Although a newer entry on the list, API leaks ranked fourth due to their potential for unrestrained disclosure of sensitive data, often through negligent methods. API leaks are often overlooked, as evidenced by their absence from the OWASP Top 10 threat list.

API security bugs rule the bounty game with 62% of rewards

In 2023, most bug bounties — ethical hackers that test and challenge major companies' security systems — were for API security: 62% of all bounty payments. Notably, API-related bounties are higher in value compared to other categories. The highest payout for an API bug was $15,000, three times larger than the highest non-API payout of $5,000.

Social media platform Snapchat had the highest bug bounty payout in 2023, signifying more major players see the importance of getting ahead of critical security flaws.

API security predictions for 2024 that demand immediate action

The report predicts there will be an intensified focus on emerging API data leaks as a significant risk in 2024, emphasizing the prevention of sensitive information breaches that include API keys and JWT tokens.

There will also be a shift towards adopting novel metrics for vulnerability triaging and an increased focus on addressing broken access control and authorization (BOLA) issues in API security strategies.

Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1