What lies ahead for API security in 2023?

API Abuses and Related Data Breaches

Gartner has said that API attacks would be the most common attack vector in 2022, resulting in data breaches for enterprise web applications. Gartner also predicts that by 2024, API abuses and related data breaches will double.  

For 2023, we don’t see any reason to doubt that APIs will continue to be a top target for attackers, resulting in theft, fraud, and business disruptions. The recent Optus Telecom API security incident shows the new levels of analysis attackers are performing to understand how each API works, how they interact with each other, and what the expected outcome is. In another example of abusing the trust established by the API-host-to-user relationship, a local inventory search function used to enable Ulta Beauty customers to find and buy products nearby was hit by an attack that was 700 times larger than the average load. 

Demand for API Protection Solutions

Demand for API protection solution that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases will increase. Recent reports support this notion, observing that with the rising incidence of malicious attacks on APIs, the demand for API security solutions will grow at a compound annual growth rate (CAGR) of 26.3% between 2022 and 2032, totaling around $10B in revenue by 2032.

Talent Shortage

Stretched IT security teams will continue to have insufficient time on their side to uncover API vulnerabilities. Adding insult to injury, many security teams are put in a difficult situation of protecting their attack surface with constrained resources while dealing with the ongoing talent shortage. And attackers are sophisticated and relentless using advanced tools, such as artificial intelligence, machine learning, and automation. We predict they will increasingly be able to expedite—from weeks to days or hours—the end-to-end attack life cycle, from reconnaissance through to exploitation. 

OWASP API Security Threats

We’ll see continued security incidents and data breaches highlighting how attackers are leveraging Open Web Application Security Project (OWASP) categorised security gaps to execute their attacks. The techniques observed in these incidents mimic those outlined in the API Protection Report where attackers are actively mixing and matching the OWASP API security categorised threats to bypass common security controls. 

In the year ahead, we will see attackers evolve to use the unholy trinity of OWASP identified API security gaps. This combination will continue to involve three different tactics – Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9) – to bypass common security controls and achieve their end goal. The increased combination of these three threats indicates that attackers will be performing new levels of analysis to understand how each API works – including how they interact with one another and what the expected result will be. 

Shadow APIs

Shadow APIs will continue to be the top threat challenging the industry. Attacks on shadow APIs are effective because they exploit innocuous mistakes in development and asset management control. These mistakes are frequently abused by bots, who rely on the lack of API visibility among the defenders. New research by the Cequence CQ Prime Threat Research team reported that 31%, or 5 billion malicious transactions observed in the first half of 2022 targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs.  

Consolidation of API Security Tool Vendors

Further consolidation of API security tool vendors is also expected in 2023. As we have seen of late, in attempts to offer end-to-end application protection, web application firewall (WAF) vendors have been acquiring bot management companies. Examples of this activity include Imperva and Distil Networks, and F5 and Shape. Now their customers are looking to protect APIs with point products from a set of API security vendors, leading to vendor fatigue and alert fatigue. 

As we shift from an investment environment that rewarded “growth at any cost” to “sustainable growth towards profitability”, numerous API security startups are going to find themselves with little option but to be acquired. Enterprises still struggling with acute talent shortage, despite the deadlines of tech layoffs recently, will look for vendors providing a complete, comprehensive platform or solution to today’s growing application and API security challenges. 

Enterprise API security needs will only be met by a solution that covers the entire API protection lifecycle which involves achieving visibility into all APIs, including public-facing, internal and unmanaged, and the mitigation of API vulnerabilities, ensuring API compliance, and the detection and prevention of attacks on APIs.

Regulatory Scrutiny of API Security

With the increasing number of high-profile breaches, there will be increased regulatory scrutiny of API security, resulting in more government regulations and industry certification requirements. For example, if a business uses APIs that carry any information regarding payment cards, that business and its technical partners must support those APIs to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). In 2022, the PCI DSS was updated to add more information and direction around the requirements to develop and maintain secure systems and software.  

In Australia, recent data breaches have put a spotlight on API vulnerabilities, possibly driving the Australian Cyber Security Centre (ACSC) to add them to its influential Information Security Manual (ISM). The latest edition of the ISM adds a new control “to ensure clients are authenticated when calling web application programming interfaces that facilitate access to data not authorised for release into the public domain.” 

Targeting Telecom

In the light of data breaches in the telecommunications sector, threat actors will seek to build on this momentum to exploit providers that lack visibility into APIs due to their many sub-companies and partners. As telecom companies adopt new technologies, and associated use of APIs, the potential for data breaches in these businesses will increase, impacting millions of users and resulting in theft, fraud, and disruption. 

The Good News

While some of these predictions may seem dire or overwhelming and risk overloading already stretched IT security teams, there is good news. API protection solutions are available that can help to protect APIs across their entire lifecycle, leveraging a collaborative effort that includes developers, application owners and the security team to accomplish the following. When selecting a solution, the business should look for the provision of:

• Outside-in discovery: To gain an understanding of its public-facing API footprint and to see what an attacker would see. 

• Inside-out inventory: Complements the external view of the APIs and related resources with a comprehensive inside-out API inventory, including all existing APIs and connections. 

• Compliance monitoring: Continually analyses existing and new APIs to keep them in compliance with specifications such as the OpenAPI specification and ensures high API coding quality, consistency, and governance. 

• Threat detection: Even perfectly coded APIs can be attacked, so it’s critical to continuously scanning the entire API inventory for threats, including subtle business logic abuses and malicious activity that has not yet been observed. 

• Threat prevention: It’s critical to be able to respond quickly and natively with countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools. 

• Ongoing API testing: Integration of API protection into development to complement API security efforts defined by shift left efforts within the organisation, thereby preventing risky code from going live. 

Ameya Talwalkar

Over the last 10 years, Ameya Talwalkar has built strong engineering teams specializing in enterprise and consumer security in Silicon Valley, Los Angeles, Madrid, Pune, and Chengdu. Before co-founding Cequence Security, he was Director of Engineering at Symantec, where he was responsible for its anti-malware software stack that leverages network Intrusion prevention and behaviour and reputation technologies, and anti-virus engines. Under his leadership, Symantec developed an advanced version of network intrusion prevention technology that blocks more than two billion threats a year. Ameya holds a Bachelor of Engineering in Electrical Engineering from the University of Mumbai’s Sardar Patel College of Engineering (SPCE).

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...