Most organizations use application programming interfaces (APIs) in some fashion, and criminals have noticed that and turned APIs into a popular attack vector. That’s the finding of the latest State of the Internet report from security researchers at Akamai.
APIs are inherently designed to be fast and easy pipelines between different platforms. While this priority on convenience and user experience leads APIs to be highly essential to many businesses, it also makes them appealing targets for cybercriminals, the report said. And it’s a mistake to assume that APIs are safe.
Akamai threat researchers highlighted the frustrating patterns of API vulnerabilities, despite the improvements that have been made in Software Development Life Cycles (SDLCs) and testing tools. Often, API security is relegated to an afterthought in the rush to bring them to market, with many organizations relying on traditional network security solutions that are not designed to protect the wide attack surface that APIs can introduce, said Steve Ragan, Akamai security researcher and report author, in an interview with VentureBeat.
Above: The stats aren’t pretty on API attacks.
Image Credit: Akamai
“The core of this is about API vulnerabilities,” said Ragan. “It’s not just the applications that are calling on APIs themselves. But sometimes, the backend API connections and configurations si where we’re seeing these vulnerabilities. They are starting to mirror a lot of the vulnerabilities we saw years ago, with web applications as a whole.”
He added, “It’s almost like history repeating itself. And in a lot of cases, the vulnerabilities go from extremely complex, like SQL injection and things like that, to basic ones like hard-coded credentials and secret keys into the application code itself.”
The report reinforces research firm Gartner’s view that APIs will be the most frequent online attack vector by 2022.
Spring Boot
Above: Spring Boot — yikes.
Image Credit: Akamai
Spring Boot is a popular API-dependent framework for building web applications. Of 5,000 Spring Boot web applications tested, Akamai founded that 100% of the applications had at least one vulnerability.
“Spring Boot, is used by a lot of developers to quickly develop applications that leverage APIs and get them pushed out,” Ragan. “We looked at 5,000 Spring Boot applications. And what we found, working with Veracode, was that all of those applications — every one of them had at least one vulnerability. And when we started breaking down what types of vulnerabilities, we found what was pretty common.”
About 86% of the vulnerabilities could allow attackers to forge log data or inject malicious content into data. And 68% incorrectly released resources before they were made available for reuse. About 47% had hard-coded passwords.
Previously, Akamai has noted that API calls represent 83 percent of web traffic, the majority of the API traffic being for custom applications, which is the result of digital transformations and cloud-based application deployment.
For this report, Akamai reviewed 18 months of attack traffic between January 2020 and June 2021, finding more than 11 billion total attempted attacks. With 6.2 billion attempts on record, SQL Injection (SQLi) remains at the top of the web attack trending list, followed by Local File Inclusion (LFI) with 3.3 billion, and Cross-Site Scripting (XSS) with 1.019 billion.
About 88.7% of web attacks use the common API vulnerabilities SQLi and LFI.
It’s not always clear where API vulnerabilities live. For example, APIs are often hidden within mobile apps, leading to the belief that they are immune to manipulation. Developers make the assumption that users will only interact with the APIs via the mobile user interface (UI), but, as noted in this report, that’s not the case.
Chris Eng, chief research officer at Veracode, said in a statement, “Compare the Open Web Application Security Project (OWASP) Top 10 to the OWASP API Security Top 10. The latter purports to address the ‘unique vulnerabilities and security risks’ of APIs, but look closely and you’ll see all of the same web vulnerabilities, in a slightly different order, described with slightly different words. To add more fuel to the fire, API calls are easier and faster to automate (by design!) — a double-edged sword that benefits developers as well as attackers.”
Spikes in attack traffic point to API vulnerabilities
Above: Steps to deal with API attacks.
Image Credit: Akamai
While difficult to pinpoint the attacks in terms of the percentage of purely API attacks, the Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, recently released an API Security Top 10 list, which largely mirrored
Akamai findings.
Ragan noted that there were spikes in attacks in January and May, though it wasn’t clear why.
The report found:
- Credential stuffing attacks tracked across the 18 months between January 2020 and June 2021 remained steady, with single day peaks of over 1 billion attacks recorded in January 2021 and May 2021.
- The U.S. was the top target for web application attacks during this observed period, with nearly six times the amount of traffic than England, which ranked second.
- The U.S. was also in the top spot on the source list for attacks, taking first place away from Russia, with almost four times the amount of traffic.
- Distributed denial of service (DDoS) traffic has remained consistent in 2021 so far, with peaks recorded earlier in Q1 2021. In January 2021, Akamai recorded 190 DDoS events in a single day, followed by 183 in March.
“When it comes to APIs, and we’re talking about not just the backend connectors, you have to look at the apps and everything that goes into them,” he said. “When you consider the fact that it’s such a wide space, there are numerous concerns for any type of internet connected application to deal with. In my opinion, API attacks are unprotected and they’re underreported. You see headlines about DDoS attacks and ransomware, or the latest malware kit that’s out there. But APIs are being targeted, they’re being attacked, and you can’t ignore them.”
Cambridge, Massachusetts-based Akamai came up with five recommendations for fixing the problem. The first was identify APIs and track them as you would invesntory. The second was test APIs and understand what vulnerabilities exist within them. Then it said to leveragte current enterprise security, in addition to specialized API tools. And you should favor blanked API policies that can be reused. Finally, involve multiple stakeholders in API reviews.
“It’s not an end-all, be-all type of solution,” Ragan said. “It’s not going to solve every problem. But it absolutely is a good handy list of recommendations that people can follow.”
The problem with APIs is they get to one of the tradeoffs about security. APIs make life convenient for companies that partner with each other. But making them more secure could run the risk of slowing everything down.
“You have to remember that part of the balance of security is making it so security doesn’t get in the way of business,” Ragan said. “Not all vulnerabilities are equal. And therefore, you have to make sure that security is balanced so you’re not cutting off access to the information or services that customers need.”
VentureBeat
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
