APIs are a critical component of any digital business, sharing information between various software solutions and streamlining and improving business productivity through system integration. They allow modularity in development projects, increase the scalability of the business and in theory should enhance your software security.

API security breaches have become increasingly common in recent years, with the rising popularity of APIs and the growing number of API integrations in software applications. The frequency of API security breaches varies depending on the industry, the type of API, and the level of security measures in place.

According to the 2021 Verizon Data Breach Investigations Report¹, web application attacks, which often involve APIs, accounted for 39% of all breaches. In addition, the report found that the most common motive for these breaches was financial gain. The 2022 Verizon report² again mirrored the overwhelmingly dominant target being web application attacks (81%) and driver being financial gain (78%) in the incidents they researched. A clear demonstration of growth and assumed opportunity for bad actors.

The 2022 State of the API Report by Salt Security³ found that in the 12 months since their 2021 report Salt customers experienced an increase of 117% in API attack traffic correlating to an increase of 168% in overall API traffic. This builds upon the 2021 data which found 91% of respondents reporting experiencing at least one API security incident in the prior 12 months, with an average of 2.7 incidents per organisation. Attacks have increased by 30% between 2021 and 2022 for Salt customers with 34% of customers experiencing greater than 100 attempted attacks per month.

Overall, security breaches are a significant concern for organisations that use APIs to exchange data and communicate with external systems. It is essential to implement robust security measures such as access controls, encryption, and regular security testing to mitigate the risk of API security breaches.

Beyond what should be key considerations like authentication, transmission, traffic volume and authorisation, there are other important variables and activities to consider and enact when building, configuring and maintaining system APIs. Authentication methods should be determined based on the type and sophistication of the user base. With a variety of authentication options available, such as; JWT, OAuth, SAML, keys, and more, understanding the characteristics and technological capabilities of the user base should be a critical consideration when defining an effective security architecture and strategy. Without consideration and effective internal upskilling, the choice of authentication methodology can open an organisation to a relatively easy breach through social engineering or poor cybersecurity hygiene. 

The characteristics of the transmitted data and the transmission method also impact the risk profile of a security breach. Prior to the development of any API, understanding the volumes of data, how and where the transmitted data is sourced, and how issues with the query and or response strings are handled help to identify actions to be undertaken to mitigate potential avenues for malicious activity. A plan for monitoring and logging all API traffic and regular security review, testing and updating are crucial components of an effective security architecture design.

Business software solutions or digital business tools that transmit confidential, private or critical data require a security minded technology team. The last three years of the IBM Cost of a Data Breach Reports⁴ have demonstrated a per record cost growth from $146 USD in 2020⁶ to $160 USD in 2021⁵ and to $164 USD in 2022⁴, approximately a 12% increase in cost over the last two years. It is important to note that the cost calculations are centred on the cost of recovery, rectification and remediation; they do not address the cost of the loss of reputation. The indirect costs can have a long-lasting impact on the business reputation and forward performance.

The only real way to protect an organisation is to implement strong and regular security testing and practices on transmitted data. Transmitted business data requires the same care and due diligence as stored customer or business data. Maintaining and protecting the transmitted data is critical for all solutions leveraging an API. Key testing activities such as; manual, automated, Fuzz, Penetration, Vulnerability scanning, and code review should be regularly scheduled. Security logs should be monitored for changes or anomalies. Budgeting for and utilising external testing resources increases security coverage through unbiased perspective, subject matter and compliance expertise, and the minimisation of human issues, such as, limited resourcing, blind spots, and overconfidence.

Treating transmitted and stored customer and business data with the same diligence as revenue driving activities delivers a 360 degree positive experience for customers and is an opportunity to lead competitors in total customer experience.

References

¹2021 Report: Verizon: 2021 Verizon Data Breach Investigations Report (DBIR) 

²2022 Report: Verizon: 2022 Verizon Data Breach Investigations Report (DBIR) –  (requires free sign up)

³2022 Report: Salt Security: State of API Security Report Q3 2022   (requires free sign up)

⁴2022 Report: IBM: Cost of a Data Breach Report 2022 –  (requires free sign up)

⁵2021 Report: IBM: Cost of a Data Breach Report 2021

⁶2020 Report: IBM: Cost of a Data Breach Report 2020