Sunnyvale, Calif. – October 4, 2022 — Cequence Safety, the main supplier of Unified API Safety, immediately launched its first half 2022 report, titled “API Safety Report: Shadow APIs and API Abuse Explode.” Chief among the many findings was roughly 5 billion (31%) malicious transactions focused unknown, unmanaged and unprotected APIs, generally known as shadow APIs, making this the highest risk difficult the {industry}.
“The truth is the on a regular basis luxuries we take pleasure in as customers like ridesharing and meals supply providers are constructed on APIs,” mentioned Ameya Talwalkar, CEO and founder, Cequence Safety. “Our analysis discovered that the revolutionary methods firms can enhance buyer experiences are additionally the most important risk to their safety, buyer belief and finally, their backside line. These firms should rethink what’s prioritized of their safety technique, beginning with API safety.”
Developed by the CQ Prime Menace Analysis workforce, the report relies on an evaluation of greater than 20 billion API transactions noticed over the primary half of 2022 and seeks to spotlight the highest API threats plaguing organizations immediately.
High Menace #1: Shadow APIs Hit with 5 Billion Malicious Requests
Roughly 5 billion (31%) of the 16.7 billion malicious requests noticed focused unknown, unmanaged and unprotected APIs, generally known as shadow APIs, spanned a variety of use circumstances. From the extremely volumetric sneaker bots making an attempt to seize the most recent Dunks or Air Jordans to stealthy attackers making an attempt a gradual trickle of card testing fraud on stolen bank cards to pure brute power credential stuffing campaigns. Pushed by high-volume content material scraping as a precursor to procuring bot and reward card assaults, assaults on shadow APIs surged in April 2022 and have continued to rise in quantity all year long.
High Menace #2: API Abuse
Based mostly on 3.6 billion assaults blocked by the CQ Prime Menace Analysis workforce, the second largest API safety risk mitigated in the course of the first half of 2022 was API abuse, which means attackers focusing on correctly coded and inventoried APIs. This discovering highlights the necessity to use industry-standard lists like OWASP as a place to begin, not an finish aim. Essentially the most generally blocked assaults are indicative of the methods attackers are utilizing. These included:
- 3 billion procuring bots focusing on sneakers or luxurious items
- 290 million reward card checking assaults
- The tried creation of roughly 237 million pretend accounts on in style courting and procuring purposes
High Menace #3: The Unholy Trinity: Credential Stuffing, Shadow APIs & Delicate Information Publicity
Based mostly on 100 million assaults, the mixed use of API2 (Damaged Person Authentication), API3 (Extreme Information Publicity) and API9 (Improper Property administration) signifies two issues: attackers are performing detailed evaluation of how every API works, how they work together with one another, and the anticipated final result and builders want to remain ever vigilant in following API coding finest practices.
Account Takeover Mitigation Saves $193 Million
Highlighting the continued recognition of account takeovers (ATO), the CQ Prime Menace Analysis workforce helped prospects mitigate roughly 1.17 billion malicious account login requests – all in opposition to APIs. The recognition of ATOs could be tied on to their versatility, which has been amplified by the adoption of APIs for account logins and is proven all through this report. Extra importantly, the affect of an ATO on the enterprise is critical, with every incident various in price from $290 (Juniper Analysis) and roughly 9 hours of investigative work to $311 (Federal Commerce Fee). The mitigation efforts protected roughly 11.7 million accounts which equate to a financial savings of $193 million throughout all prospects.
“Our evaluation and findings are based mostly on actual assaults within the wild,” mentioned William Glazier, Director of Menace Analysis at Cequence Safety. “Our findings underscore the significance of IT and safety leaders having an entire understanding of how accurately coded APIs, in addition to these with errors, could be attacked. The pattern dimension of 20 billion alone means there’s a excessive chance that enterprises throughout industries are impacted by a majority of these threats.”
The report highlights the significance of understanding the techniques, methods, and procedures (TTPs) attackers use to use dangers and the way attackers will react to resistance. This implies not solely ensuring that APIs will not be vulnerable to the OWASP API Safety High 10 as a place to begin but in addition what could be outlined as API10+, a class that encompasses the numerous completely different ways in which a superbly coded API is perhaps abused.
Obtain the complete findings of the report.
View the Infographic.
About Cequence
Cequence Safety, the pioneer of Unified API Safety, is the one resolution that unifies API discovery, stock monitoring, threat evaluation and native mitigation with confirmed, real-time risk safety in opposition to ever-evolving API assaults. Cequence Safety secures greater than 6 billion API calls a day and protects greater than 2 billion person accounts throughout our Fortune 500 prospects. Our prospects belief us to guard their APIs and internet purposes with the simplest and adaptive protection in opposition to on-line fraud, enterprise logic assaults, exploits and unintended information leakage, which allows them to stay resilient in immediately’s ever-changing enterprise and risk panorama. Be taught extra at www.cequence.ai.
