Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

APIs are becoming a worrying security target - here's what your business can do to stay safe

Zero-day attack.

The number of API-targeted attacks rose significantly as they become a more attractive and reachable target, a new report from Imperva has said.

APIs, or Application Programming Interfaces, are software intermediaries that allow two applications to essentially talk to each other. Some of the biggest benefits of APIs are seamless connectivity, improved user experience, and innovation. For years now, API traffic has been outgrowing human traffic and last year, the researchers said, API traffic constituted more than 71% of all web traffic. This has turned the attention of cybercriminals, who sought to abuse the trend for different purposes. 

That being said, attacks targeting the business logic of APIs constituted 27% of all attacks last year, which is also up by 10% compared to 2022. Account Takeover (ATO) attacks targeting APIs also rose, from 35% in 2022, to 46% in 2023. 

Lucrative attacks

Elsewhere, the report claimed the average number of API calls to enterprise sites is 1.5 billion. The high volumes of non-human, automated traffic, are “undeniably” linked to the rise in automated attacks on APIs, the researchers added. 

As a result, businesses need robust security measures to defend against things like Distributed Denial of Service (DDoS) attacks, or ATOs. In fact, 46% of all ATO attacks targeted API endpoints, they said. Finally, attackers are honing their strategies, and 28% of all DDoS attacks on APIs are going after financial services organizations. 

Traditional security tools, like Web Application Firewalls (WAF), will not suffice, Imperva concludes. API attacks will adeptly masquerade as regular traffic, rendering these defense mechanisms useless. 

Many IT professionals seem to agree with Imperva, as a recent Barracuda report found 55% stating attacks on APIs to be the most lucrative ones for criminals. Barracuda claims that "attackers will often target old vulnerabilities that security teams have forgotten about," and that "multiple layers" of security are needed to secure web apps and APIs.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.