Will APIs be the gateway to effective cyber attacks in 2021?

Published: Thursday, 21 January 2021 09:47

 Radware has released its 2020-2021 State of Web Application Security Report, which includes the prediction that Application Program Interfaces (APIs) will be the next big threat to cyber security. The report says that global organizations are struggling to maintain consistent application security across multiple platforms, and they are also losing visibility with the emergence of new architectures and the adoption of APIs. A major factor in these challenges was the need to adjust rapidly to a new remote working and customer engagement model that resulted from the pandemic, leaving decision makers little or no time to conduct adequate security planning. 

According to Michael Osterman of Osterman Research, which conducted the research for the report with Radware, risks are running higher than ever before: “With 2020’s rapid cloud migration, we were surprised to see the pervasiveness across organizations of dangerous levels of insecurity in mobile and cloud-based apps, as well as APIs.” 

“With more than 70 percent of respondents reporting that their production apps have already left the data center, ensuring the security and integrity of these data and applications is becoming more challenging, particularly in multi-cloud environments,” said Gabi Malka, Chief Operating Officer for Radware. “This migration, in combination with an increased reliance on APIs and the addition of unsecured mobile apps, has been a boon to criminals, putting them ahead of the cyber security curve. While respondents who have already moved to the public cloud and have several apps exposed to APIs seem to understand the risks, there is still a worrying level of complacency.” 

Specific findings in the report include: 

APIs are the next big threat 
Nearly 40 percent of organizations surveyed reported that more than one-half of their applications are exposed to the Internet or third-party services via APIs. Some 55 percent of organizations experience a DoS attack against their APIs at least monthly, 49 percent experience some form of injection attack at least monthly, and 42 percent experience an element/attribute manipulation at least monthly. Radware expects this to be the attack vector hackers use the most in 2021. 

Mobile apps far less secure 
Only 36 percent of mobile apps have security fully integrated, and a large proportion have either minimal or no security (22 percent).  Radware expects to see hackers use mobile channels for more serious attacks.  Closing the gap in mobile app security and protecting consumer data needs to be re-prioritised. 

Enterprises unprepared for bot traffic 
Bot management is also a major concern because enterprises are not prepared to properly manage bot traffic. The report revealed that only 24 percent of organizations have a dedicated solution to distinguish between a real user and a bot. Moreover, only 39 percent of those surveyed have confidence in their understanding of what’s going on with sophisticated bad bots. 

DDoS attacks aren’t going away 
The most common Bot attack is denial-of-service, taking different shapes. Some 86 percent said they have experienced such an attack, with a third of them reporting weekly occurrences and 5 percent seeing them daily. Denial-of-service at the application layer is frequently in the form of HTTP/S floods. Nearly 60 percent of organizations experience an HTTP flood at least once per month or more. 

More details.