API attacks: 95% of companies are affected!

As technology evolves, exposure to risk is ever more extensive. Whether we think of the extension of telework, migrations to the cloud or new approaches to development in containers, each evolution brings its procession of problems linked to erroneous configurations.

95% of companies experienced an attack via an API in 2021. This figure, taken from our half-yearly study, is all the more worrying given that the number of attacks has increased by 681% for a 321% increase in the overall volume of calls from Apis. Faced with the increase in this threat, many companies are struggling to deploy an API security strategy.

Do you remember the attacks launched against Microsoft Exchange Server by Hafnium, piloted by China, or even Experian with the theft of credit score and information from 700 million profiles on Linkedin, the hijacking of the automation of the machines of John Deer? The list of API attacks is endless. In fact, this type of hacking is a constant in the world of hacking. Designed to share data and services, these interfaces and their vulnerabilities are ideal prey for hackers — for example, we find vulnerabilities in 80% of the tests we perform. Whether it’s login, denial of service or other attacks, the API is a perfect gateway to harm a company. The objectives of these misappropriations are numerous: theft of data, access to resources, paralysis of the IS, theft of accounts, etc.

As technology evolves, exposure to risk is ever more extensive. Whether we think of the extension of telework, migrations to the cloud or even new approaches to the development of applications in containers, each evolution brings its procession of new problems linked to erroneous configurations. The extension of micro-service architecture based on APIs also increases the risk and requires new approaches to security.

APIs: a risk underestimated by the majority of companies

In fact, the results of our latest study, “State of API Security”, carried out among 250 companies still reveal an under-evaluation of these risks or a lack of proactive protection, lack of means, skills, or strategy. .

Remember: 95% of companies have experienced an attack in the last twelve months. Faced with these risks, more than a third of the responding companies declare that they have no deployed API security strategy, 27% a basic strategy, 29% intermediate with some tests and only 11% have implemented recurring tests and a protections dedicated to APIs.

This weakness in the implementation of security measures is justified by a lack of expertise for 22% of respondents, budgetary constraints for 20% and finally sufficient time and human resources for 13% each. Similarly, on the API development and management strategy, 22% of companies note that their API program suffered from underinvestment in pre-production and 18% that they did not approach it in the right way. execution and production safety. In this context, security during development is often set back and left to execution, in other words a posteriori, with the paradox that 85% of respondents deplore a lack of effective tools to stop attacks.

Countering API attacks: how to do it?

The majority of respondents are aware that the status quo is not sustainable in the face of the risks, but lack ideas for implementing an effective strategy. When asked about the most important feature of a security platform, everyone cites the ability to stop attacks. A logical answer. The greatest risk is related to an attack in progress with the objective of exfiltrating data or taking control of accounts. To counter this risk, companies rely in part on their WAF (Web Application Firewall). But the WAF architecture is too restricted to block attacks on APIs. Indeed, based on a set of rules relating to the only known attacks and incapable of correlating the traffic over time, these elements put stealth intrusion detection out of their reach. In fact, deploying a real API security policy requires a much more upstream method.

This method is based on an initial risk assessment. It is necessary to develop an approach covering the entire API lifecycle by deploying testing, analysis and fuzzing during the development phase. To do this, it is necessary to use platforms capable of launching API attacks in test environments to assess vulnerabilities.

Leverage big data and machine learning in the cloud

To ensure these test phases, a large volume of API traffic data must be used to identify the context conducive to API attacks. Attacks take place over days, weeks or months. In fact, enterprises need cloud-scale big data processing to have sufficient reach to detect API attacks. A detection that will be done using artificial intelligence to discern normal flow from attack flow.

Finally, it is important to run APIs to expose and detect their vulnerabilities rather than speculating on securing by developers, even if we note in the study an increase in exchanges between security teams and developers on securing APIs.

Faced with the inflation of API attacks, and in view of the results of our study and research, it is essential for companies to take the risk associated with these interfaces seriously. At a time when cybersecurity is a crucial issue for companies and states, APIs are the main weak point of information systems. Our study shows that awareness is still well below the real risks incurred by companies. The status quo is not sustainable.

We wish to give thanks to the writer of this write-up for this awesome material

API attacks: 95% of companies are affected!

You can find our social media profiles and other pages that are related to them.https://www.ai-magazine.com/related-pages/