DEVOPSdigest

Proof is in the data and Akamai's new research State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain. Overall, we see traditional web attacks targeting web applications and APIs continue to rise, as shown by a 65% increase between Q1 2023 and Q4 2024. This shows that the capabilities that are being developed are under increasing levels of attack.

Key findings of this report include:

■ API abuse: The study reveals only 13% of surveyed organizations test their APIs daily, which is a marked decrease from 37% in 2023

■ Zombie/Shadow API: The study also reveals 47% of AppSec teams maintain full API inventories but fail to identify APIs that handle sensitive data

■ Bot mitigation: AI-based bot fraud attacks against retailers increased consistently between August 2022 and April 2024, with a striking 137% spike in January 2024

These statistics allow teams to understand where they should direct best practices and security controls to have the greatest impacts. Often security teams encounter obstacles in detecting API abuse, because they don't have visibility or metrics around their standard baseline. Because of this, teams need to use an adaptive security engine that continuously monitors and responds to threats in real time and provides threat intelligence and runtime protection. Paired with the use of API testing tools like dynamic application security testing (DAST) to ensure that security requirements, including secure access, encryption, and authentication risk mitigation can be achieved.

Industry and regional insights

The report also breaks out some insights by industry and region that provide perspective and for international companies' ability to tailor budgets based on geographical trends. The graphic below lays out regions at a glance from January 2023–December 2024 (LFI denotes local file inclusion; XSS, cross-site scripting; WAT, web attack tool; SSRF, server-side request forgery).

Most common attack vector insights

What should organizations prioritize for coding best practices? The graphics below lay out the web and API attacks by volume. You can prioritize quality assurance and run time testing based on the most common attacks.

Surviving compliance and audit insights

Frameworks and compliance are also great metrics to leverage (see graphic below). Open Worldwide Application Security Project (OWASP) has top 10 lists for web, API and LLM that should guide best coding practices to minimize publishing the most attacked vulnerabilities. The MITRE organizations Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a terrific way to understand the most common attack tactics / techniques and here again you can see the number of cyber criminal organizations leveraging these is continuing to increase.

When it comes to audits the top references are: International Organization for Standardization (ISO) 27001 for Information Security Management System (ISMS), the European Union (EU) regulation General Data Protection Regulation (GDPR) for privacy standards and Payment Card Industry Data Security Standard for credit card transactions. These are also seeing increases in level of requirements that are mapping to attack patterns.

The report breaks out case studies that dive into issues like the fact that BOPLA exploits granular field-level access issues in APIs, which are often overlooked during security testing. Unlike BOLA, which requires changing entire object IDs, BOPLA attacks target specific properties within objects. For instance, a DELETE API call that exposes sensitive personally identifiable information (PII) in its response constitutes a BOPLA vulnerability. This subtlety makes BOPLA issues more prevalent than BOLA attacks.

Mitigation

With this information, the need is clear for stronger development and protection of the code we deploy. As tech stacks evolve, so do the threats. Every team should regularly assess their security posture, but there are three areas developers should focus on right now.

First, make sure your API security plan is solid — this means knowing what APIs you have (discovery), keeping an eye on them (monitoring), evaluating them regularly, putting runtime protections in place, and training your team on the OWASP API Top 10 and MITRE ATT&CK framework.

Next, think about how to prevent and detect API abuse from bots and malware focused on fraud.

Finally, as we look to the future, start thinking about how attackers are using AI and LLMs to generate dynamic and integrated attacks.