Akamai discovers API vulnerability poses high risk to companies and individuals worldwide

Akamai discovers API vulnerability poses high risk to companies and individuals worldwide

Akamai's latest security research explores the state of global API security; reveals attack traffic trends from 2020 to 2021

SAN FRANCISCO, Oct. 28, 2021 /PRNewswire/ -- Akamai Technologies, Inc. (Akamai), the global provider of trusted solutions to protect and deliver digital experiences, today released new research analyzing the evolving threat landscape surrounding Application Programming Interfaces (APIs), which Gartner predicts will become the most frequently used online attack vector by 2022. The latest in Akamai's State of the Internet Security series, API: The Attack Surface That Connects Us All, features collaborative contributions from Akamai and Veracode researchers, including a guest article by Veracode Chief Research Officer Chris Eng.

APIs essentially act as a fast and easy conduit between different platforms. The importance of convenience and user experience has made APIs an essential tool for many businesses, but this also makes them an attractive target for cybercriminals. Akamai's report highlights devastating API vulnerability patterns, which remain grim despite improvements in the software development lifecycle (SDLC) and testing tools. When companies rush to launch APIs, API security is often not considered until the fact, and many companies rely on traditional network security solutions, but these solutions cannot adequately protect the broad attack surface that APIs can introduce.

“Anyone building a connected application faces a myriad of API security issues, from compromised authentication and injection flaws to simple misconfigurations,” said Steve Ragan, security researcher at Akamai and author of the State of the Internet Security Report. “API attacks are not adequately detected by organizations, and when they are detected, they may go undetected. While DDoS attacks and ransomware are both significant concerns for organizations, API attacks do not receive the same level of attention, in large part because attacks launched by criminals using APIs do not generate the same level of buzz as a well-executed ransomware attack, but that does not mean they should be ignored.”

Organizations don’t always know where API vulnerabilities are located. For example, APIs are often hidden in mobile applications, leading to the perception that they cannot be manipulated by criminals. Developers assume that users will only interact with APIs through mobile user interfaces (UIs), but as this report shows, this is not the case.

“Compare the OWASP Top 10 to the OWASP API Security Top 10,” said Chris Eng, Chief Research Officer at Veracode. “The latter claims to capture the ‘unique vulnerabilities and security risks’ of APIs, but look closely and you’ll see the exact same web vulnerabilities are listed in a slightly different order and with slightly different wording. API calls are designed to be more efficient, making it easier and faster for users to automate calls – a double-edged sword that benefits both developers and attackers.”

Attack traffic surge suggests API vulnerabilities persist

The report also details that Akamai reviewed attack traffic between January 2020 and June 2021 (18 months) and found that the total number of attacks exceeded 11 billion. With 6.2 billion attacks recorded, SQL injection (SQLi) still ranks first in the list of web attack trends, followed by local file inclusion (LFI) (3.3 billion times) and cross-site scripting (XSS) (1.019 billion times).

While it's difficult to determine what percentage of the attacks listed above are purely API attacks, the Open Web Application Security Project (OWASP), a nonprofit foundation dedicated to improving software security, recently published a list of the top 10 API security vulnerabilities that largely aligns with Akamai's findings.

Other report highlights include:

● During the 18 months from January 2020 to June 2021, tracked credential stuffing attacks remained stable, with daily peaks of over 1 billion attacks recorded in January and May 2021.

● During this observation period, the United States was the top target for web application attacks, experiencing nearly six times the attack traffic of the second-ranked United Kingdom.

o The United States also topped the list of attack sources, taking the top spot from Russia and sending almost four times as much attack traffic.

● DDoS traffic has remained stable so far in 2021, with peaks recorded early in the first quarter of 2021. In January 2021, Akamai recorded 190 DDoS events in a single day, followed by 183 in March.

To read Akamai’s 2021 report, “API: The Attack Surface That Connects Us All,” visit Akamai’s State of the Internet page.

For more information, to engage with Akamai threat researchers, and to gain insights into the evolving threat landscape from the Akamai Intelligent Edge Platform, security professionals can visit Akamai's Threat Research Hub.

About Akamai

Akamai powers and protects life online. The world's most innovative companies choose Akamai to secure and deliver their digital experiences - Akamai helps billions of people live, work and play every day. With the world's largest and most trusted edge platform, Akamai keeps apps, code and experiences closer to users and threats farther away.