US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and DevOps-style development methodologies, according to an analysis of breach data.
In the last decade, API security has grown to become a significant cybersecurity issue. Acknowledging this, the Open Web Security Application Project (OWASP) released a top-10 list of API security issues in 2019, flagging major API weaknesses — such as broken authorization for objects, weak user authentication, and excessive data exposure — as critical issues for software makers and companies that rely on cloud services.
According to the Quantifying the Cost of API Insecurity report out this week, published last week by application-security firm Imperva and risk-strategy firm Marsh McLennan, security issues will only likely grow as APIs continue to become a common pattern for cloud and mobile infrastructure.
"The growing security risks associated with APIs correlates with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva. "The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs."
Interestingly, the business losses have less to do with API-specific issues, the analysis found. Rather, breach recovery and interruption of operations account for the majority of the cyber-losses. Only a small subset of companies in any country suffered losses directly linked to API vulnerabilities, the report found.
API Losses Vary by Business Segment
The Marsh McLennan data comes from reported breaches, which represents a subset of all businesses. It found that when drilling down into the data, important differences between impact can be drawn out.
For instance, certain kinds of companies (larger firms in IT and professional services, for example) are much more likely to face API-related security incidents than others (smaller companies, say, in the finance sector).
"The $12 billion is not distributed over millions of companies," a Marsh McLennan spokesperson said. "The number of breached companies, especially due to API insecurity, is considerably lower."
Small firms face the highest absolute number of API security events, with most incidents affecting companies with less than $50 million in revenue. Yet API-related incidents only accounted for about 5% of their overall number of security incidents. Conversely, large companies with more than $50 billion in revenue are at a much higher risk of breaches related to APIs, with at least 20% of their security events involving APIs.
To some extent, the increased risk for large companies is due to the growth in the attack surface area caused by APIs, but larger companies are also more attractive targets, says Imperva's Cheng.
"The proliferation of APIs, combined with the lack of visibility into these ecosystems, creates opportunities for massive, and costly, data leakage," he says. "These are issues that scale with an organization's size. Larger organizations have more APIs in production, and limited visibility leaves a larger number of APIs vulnerable. This makes enterprises an attractive target."
Similarly, firms in Asia had slightly more than 100 combined API security events, and US companies had more than 600 API security events. The sheer number of reported security events overall in the United States resulted in API incidents accounting for a much lower share of the pie — about 5% compared to more than 15% for Asia.
How to Cope With API Security Concerns
Unlike other types of application vulnerabilities, API security weaknesses typically exploit authorization, authentication, or business logic issues. The exploitation of APIs often results in access to data or the ability to bypass an authorization check, says Cheng.
To prevent this, companies need to gain visibility into how they are using APIs and create a complete inventory of the API traffic in their network, he says.
"API-related security incidents are sophisticated attacks that use a valid API token to exploit a vulnerability in the business logic to access the data layer," Cheng says. "Without the right visibility into the API schema, or the changes being made to the schema, organizations are often unaware if an API is compromised or what data is exfiltrated through the compromised API."
API attacks generally form the initial access vector for a larger campaign, so while the initial intrusion may seem non-critical, the end result could be a widespread compromise, Cheng says.
"API abuse is often part of a larger campaign that involves online fraud, like account takeover or automated scraping," he says. "Organizations need protection from a range of attacks that a criminal may use to abuse the API and get to the underlying data. If the organization is only focused on protecting the API endpoint, they're overlooking attacks on the application and/or business logic."