API vulnerabilities - a 'high stakes game'

Latest Akamai Security Research examines global API security landscape; reveals 2020-2021 attack traffic trends.

Akamai Technologies has released new research into the evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022. The report, ‘API: The Attack Surface That Connects Us All,’ is the latest from Akamai’s State of the Internet / Security report series. The new report also features a collaboration between Akamai and Veracode researchers, including a guest essay written by Chris Eng, Chief Research Officer at Veracode.

APIs are inherently designed to be fast and easy pipelines between different platforms. While this priority on convenience and user experience leads APIs to be highly essential to many businesses, it also makes them appealing targets for cybercriminals. Akamai’s report highlights the frustrating patterns of API vulnerabilities, despite the improvements that have been made in Software Development Life Cycles (SDLCs) and testing tools. Often, API security is relegated to an afterthought in the rush to bring them to market, with many organizations relying on traditional network security solutions that are not designed to protect the wide attack surface that APIs can introduce.

“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. “API attacks are both underdetected and underreported when detected. While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack, but that doesn’t mean they should be ignored.”

It’s not always clear where API vulnerabilities live. For example, APIs are often hidden within mobile apps, leading to the belief that they are immune to manipulation. Developers make the assumption that users will only interact with the APIs via the mobile user interface (UI), but, as noted in this report, that’s not the case.

Chris Eng, Chief Research Officer at Veracode stated, “Compare the OWASP Top 10 to the OWASP API Security Top 10. The latter purports to address the ‘unique vulnerabilities and security risks’ of APIs, but look closely and you’ll see all of the same web vulnerabilities, in a slightly different order, described with slightly different words. To add more fuel to the fire, API calls are easier and faster to automate (by design!) — a double-edged sword that benefits developers as well as attackers.”

Spikes in Attack Traffic Point to Continued API Vulnerabilities

Also detailed in the report, Akamai reviewed 18 months of attack traffic between January 2020 and June 2021, finding more than 11 billion total attempted attacks. With 6.2 billion attempts on record, SQL Injection (SQLi) remains at the top of the web attack trending list, followed by Local File Inclusion (LFI) with 3.3 billion, and Cross-Site Scripting (XSS) with 1.019 billion.

While difficult to pinpoint the above attacks in terms of the percentage of purely API attacks, the Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, recently released an API Security Top 10 list, which largely mirrored Akamai findings.

Additional report highlights include:

● Credential stuffing attacks tracked across the 18 months between January 2020 and June 2021 remained steady, with single day peaks of over 1 billion attacks recorded in January 2021 and May 2021.

● The U.S. was the top target for web application attacks during this observed period, with nearly six times the amount of traffic than England, which ranked second.

o The U.S. was also in the top spot on the source list for attacks, taking first place away from Russia, with almost four times the amount of traffic.

● DDoS traffic has remained consistent in 2021 so far, with peaks recorded earlier in Q1 2021. In January 2021, Akamai recorded 190 DDoS events in a single day, followed by 183 in March.

Industry leaders intend to redefine the transportation landscape with a continuous functional-safety certified, Linux-based in-vehicle operating system.
Red Hat’s open hybrid cloud technologies help DWP eliminate silos, improve efficiency and drive IT automation, resulting in new cloud-native services delivered more quickly to end users.
Research commissioned by Lenovo reveals CIOs are more involved than ever before in areas outside their traditional technology purview, such as business model transformation, corporate strategy, and sustainability.
Global technology provider Arrow Electronics has signed a pan-European agreement with DevOps and hybrid cloud specialist Cycloid, adding its entire portfolio to ArrowSphere, Arrow‘s cloud management platform.
Anypoint Code Builder helps developers manage disparate systems with minimal configuration and rich code-editing features.
VMware has launched ‘The State of Kubernetes 2022’ report, revealing that Kubernetes has now entered the mainstream, with 99% of respondents saying they have realised benefits from deploying the technology. Developers are also taking advantage of multi-cloud strategies, with two-thirds now running Kubernetes in multiple clouds.
MontaVista Software, in partnership with Foundries.io, announces MVEdge, a 'groundbreaking' solution focusing on the Intelligent Edge - providing a ready-to-deploy embedded Linux operating system with state-of-the-art security and software update technologies, coupled with commercial grade support and maintenance options.
Partnership leverages low-code to accelerate hyper-automation, time-to-market, infrastructure modernization, and improve processes in manufacturing, retail, public sector, telecommunications and financial services.