APIs are becoming a worrying security target - here's what your business can do to stay safe

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)

The number of API-targeted attacks rose significantly as they become a more attractive and reachable target, a new report from Imperva has said.

APIs, or Application Programming Interfaces, are software intermediaries that allow two applications to essentially talk to each other. Some of the biggest benefits of APIs are seamless connectivity, improved user experience, and innovation. For years now, API traffic has been outgrowing human traffic and last year, the researchers said, API traffic constituted more than 71% of all web traffic. This has turned the attention of cybercriminals, who sought to abuse the trend for different purposes. 

That being said, attacks targeting the business logic of APIs constituted 27% of all attacks last year, which is also up by 10% compared to 2022. Account Takeover (ATO) attacks targeting APIs also rose, from 35% in 2022, to 46% in 2023. 

Lucrative attacks

Elsewhere, the report claimed the average number of API calls to enterprise sites is 1.5 billion. The high volumes of non-human, automated traffic, are “undeniably” linked to the rise in automated attacks on APIs, the researchers added. 

As a result, businesses need robust security measures to defend against things like Distributed Denial of Service (DDoS) attacks, or ATOs. In fact, 46% of all ATO attacks targeted API endpoints, they said. Finally, attackers are honing their strategies, and 28% of all DDoS attacks on APIs are going after financial services organizations. 

Traditional security tools, like Web Application Firewalls (WAF), will not suffice, Imperva concludes. API attacks will adeptly masquerade as regular traffic, rendering these defense mechanisms useless. 

Many IT professionals seem to agree with Imperva, as a recent Barracuda report found 55% stating attacks on APIs to be the most lucrative ones for criminals. Barracuda claims that "attackers will often target old vulnerabilities that security teams have forgotten about," and that "multiple layers" of security are needed to secure web apps and APIs.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.