Why Your APIs Aren’t Safe — and What to Do about It

Given the vulnerability of so many systems, it’s not surprising that cyberattacks on applications and APIs increased 82% in 2022 compared to the previous year, according to a report released this year by Imperva’s global threat researchers.
What might rattle even the most experienced technologists is the sheer scale of those attacks. Digging into the data, Imperva, an application and data security company, found that the largest layer seven, distributed denial of service (DDoS) attack it mitigated during 2022 involved — you might want to sit down for this — more than 3.9 million API requests per second.
“Most developers, when they think about their APIs, they’re usually dealing with traffic that’s maybe 1,000 requests per second, not too much more than that. Twenty thousand, for a larger API,” said Peter Klimek, director of technology at Imperva, in this episode of The New Stack Makers podcast. “So, to get to 3.9 million, it’s really staggering.”
Klimek spoke to Heather Joslyn of TNS about the special challenges of APIs and cybersecurity and steps organizations can take to keep their APIs safe.
The episode was sponsored by Imperva.
The Perils of Shadow APIs
One of the biggest threats to any organization’s critical applications and data is something it doesn’t know about: “Shadow APIs,” endpoints that go undocumented — and therefore, unsecured.
For instance, 30% of all API traffic goes to shadow APIs, an 89% increase since 2021, according to Imperva’s data.
“It’s not uncommon for an organization to have over 1,000 different API endpoints,” Klimek said. “And ultimately, many of these APIs themselves tend to be very poorly documented, especially for dealing with lots of legacy APIs. “
There are several reasons for the surge in attacks on APIs, he said. For starters, there are just lots of APIs, creating a bigger attack surface, and many are falling through the cracks.
Another reason for the rise in cyberattacks that target APIs, Klimek said, is that they’re akin to SQL interfaces making querying data easy, yet expose their logic publicly “so you can effectively manage and work with it.”
This makes an API an attractive target for bad actors, he added: “The fact that it’s machine readable by nature, also makes it much easier for not only developers to parse, but also for attackers.”
Mitigating API Risk
To protect APIs and prevent your endpoints from becoming entry points for hackers, Klimek recommended a number of steps. Among them: Identifying and documenting all shadow APIs, especially legacy endpoints that are no longer needed.
“You can’t protect what you don’t know exists,” he told the Makers audience. This should include an understanding of each API’s request and response payloads.
Another means of protecting APIs is to pool the knowledge of security teams — who understand the threat landscape but probably not the business logic of their organization’s APIs — and developers, for whom the opposite is true.
“For developers, the bigger challenge is a matter of education and understanding what are the attack vectors that are regularly being used by attackers that are targeting your APIs in particular,” Klimek said.
Check out the full episode to hear Klimek elaborate in greater detail on the defenses teams should implement, including operational changes, to protect their APIs.