Security Incidents targeting APIs continue to grow

guest · Oct 27, 2021

Cybercriminals Ramp Up Attacks on Web APIs
...attacks and security incidents targeting APIs continue to grow.
https://www.darkreading.com/threat-intelligence/cybercriminals-ramp-up-attacks-on-web-apis

Attacks on Web applications continue to grow, with the majority of malicious activity focused on Web application programming interfaces, or Web APIs, researchers report.

The findings, released Oct. 27 by Internet security firm Akamai, call out the growing attack surface posed by Web APIs. Researchers don't actually differentiate between attacks on Web applications and attacks specifically using Web APIs but maintain that the growing attacks on Web applications are mainly coming through the APIs exposed by application servers. The top three Web attack vectors — SQL injection, local file inclusion, and cross-site scripting — account for nearly 95% of all Web attacks and often are carried out through APIs, according to Akamai's report.
Click to expand...

While developers are quickly adopting APIs as a way of architecting mobile, Web, and cloud applications, they don't always consider security, says Akamai security researcher Steve Ragan.

"APIs are meant to increase the availability and access at scale. They are easy to deploy, so developers really love to tack on APIs when they can, [but] because APIs are dominating our lives, it is important to pay attention to their security."
The growing attack surface area of Web APIs is not going unnoticed. Market research firm Gartner maintains that 90% of Web applications will be more vulnerable to attacks through exposed APIs than through the user interface, according to Akamai's report.
Click to expand...

"When they do credential stuffing attacks, they are using the APIs, and a lot of that stuff is not rate-limited, so you are seeing unlimited guesses."
Surveys have shown developers are more focused on getting APIs working than making sure the interfaces are secure, according to Akamai's report.
Click to expand...

Press Release: Akamai Finds API Vulnerabilities to be a High-Stakes Game for Companies and Individuals Worldwide

Latest Akamai Security Research examines global API security landscape; reveals 2020-2021 attack traffic trends
Akamai Technologies, Inc. (NASDAQ: AKAM), the world's most trusted solution to power and protect digital experiences, today released new research into the evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022. The report, 'API: The Attack Surface That Connects Us All,' is the latest from Akamai’s State of the Internet / Security report series. The new report also features a collaboration between Akamai and Veracode researchers, including a guest essay written by Chris Eng, Chief Research Officer at Veracode.
Click to expand...

Akamai: Report "API: The Attack Surface That Connects Us All"
(PDF): https://www.akamai.com/content/dam/site/en/documents/state-of-the-internet/soti-security-api-the-attack-surface-that-connects-us-all.pdf

guest · Oct 28, 2021

Why is API security failing? In part, because we're over-rotating on 'shift left'
October 28, 2021
https://betanews.com/2021/10/28/why-is-api-security-failing/

The benefits of shift-left approaches in security are well-documented, to the point where they have become common practice. This practice helps ensure that more coding quality and security issues are found before the code is released into production, saving time and money and reducing risk.

However, not all security risks can be identified and eliminated in pre-prod. This reality is particularly true with APIs, where the security risks associated with their widespread use and abuse is a significant concern. Experts from Gartner predict that by 2022, API abuse will become the most common attack vector.
Click to expand...

Recent API incidents have already validated this prediction many times over. Starting in 2021, 90 percent of web-enabled applications will be exposed via APIs rather than the user interfaces. Without a balanced approach to protecting APIs, one that goes beyond just pipeline scanning and other shift-left practices, organizations will continue to suffer API security gaps that leave them exposed.

Continuous API discovery provides a better picture of your API attack surface.
Continuous discovery and runtime behavioral analysis make early detection possible, preventing API attacks before exploitation or abuse can occur.
Click to expand...

guest · Oct 28, 2021

API attacks are both underdetected and underreported
October 28, 2021
https://www.helpnetsecurity.com/2021/10/28/security-concerns-api/

API security concerns often not addressed
Often, API security is relegated to an afterthought in the rush to bring them to market, with many organizations relying on traditional network security solutions that are not designed to protect the wide attack surface that APIs can introduce.

It’s not always clear where API vulnerabilities live. For example, APIs are often hidden within mobile apps, leading to the belief that they are immune to manipulation. Developers make the assumption that users will only interact with the APIs via the mobile user interface (UI), but, as noted in this report, that’s not the case.
Click to expand...

“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report.

“API attacks are both underdetected and underreported when detected. While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well executed ransomware attack, but that doesn’t mean they should be ignored.”
Click to expand...

Chris Eng, Chief Research Officer at Veracode stated,

“Compare the OWASP Top 10 to the OWASP API Security Top 10. The latter purports to address the ‘unique vulnerabilities and security risks’ of APIs, but look closely and you’ll see all of the same web vulnerabilities, in a slightly different order, described with slightly different words. To add more fuel to the fire, API calls are easier and faster to automate (by design!) — a double-edged sword that benefits developers as well as attackers.”
Click to expand...

guest · Nov 9, 2021

New tool helps enterprises find and fix API vulnerabilities
November 9, 2021
https://betanews.com/2021/11/09/tool-enterprises-find-api-vulnerabilities/

As digital transformation projects roll out, APIs are more critical than ever to build modern applications. But as we reported last week they also create security headaches.

Security testing specialist Veracode is addressing this with the launch of a new scanning tool that enables organizations to find and fix vulnerabilities in APIs.

"The explosion of APIs means that application development is becoming more fragmented and decentralized in nature, so the attack surface is growing exponentially," says Brian Roche, chief product officer at Veracode. "As such, API scanning has become the most-requested feature by our customers as they look for a solution that saves time, frees up resources, and provides peace of mind."
Click to expand...

API Scanning uses Veracode's powerful Dynamic Analysis (DAST) scanning engine to provide security insights and remediation guidance for APIs as early and efficiently as possible. Security and vulnerability managers can analyze their APIs as soon as they are available in a network accessible runtime environment, and before they get incorporated into bigger applications.

Roche adds, "Strong API security is fast becoming one of the top concerns for enterprises and a table stakes capability for CISOs. In a world where every relationship should start with zero trust, regular API scanning must be a cornerstone of any robust software security strategy."
Click to expand...

Veracode Releases Enhanced API Scanning to Tackle Fastest-Growing Cyber Attack Vector

90% of web applications contain exposed APIs, making them more vulnerable to attacks from cyber criminals
BURLINGTON, Mass.--(BUSINESS WIRE)--Veracode, the largest global provider of application security testing (AST), has launched an advanced scanning tool that enables organizations to find and fix vulnerabilities in APIs (Application Programming Interfaces) – the fastest-growing attack surface. The new capability leverages Veracode’s powerful Dynamic Analysis (DAST) scanning engine to provide comprehensive security insights and remediation guidance for APIs as early and efficiently as possible.
Click to expand...

guest · Nov 19, 2021

API security ‘arms race’ heats up
November 19, 2021
https://venturebeat.com/2021/11/19/api-security-arms-race-heats-up/

Enterprises are starting to catch on to the massive security risk that the pervasive use of application programming interfaces (APIs) can create, but many still need to get up to speed.

Poorly secured APIs have been recognized as an issue for years. Data breaches of T-Mobile and Facebook discovered in 2018, for instance, both stemmed from API flaws.
Click to expand...

But API security has now come even more to the forefront with enterprises across all industries in the process of turning into digital businesses — a shift that necessitates lots and lots of APIs. The software serves as an intermediary between different applications, allowing apps and websites to access more data and gain greater functionality.

“In most organizations, when I ask them who’s responsible for API security, there are blank stares around the table,” he said at the Gartner Security & Risk Management Summit — America’s virtual conference this week.
Click to expand...

That needs to change, said Firstbrook, a vice president and analyst at the research firm. API security vendor Salt Security reported that its customer base saw a 348% increase in API-based attacks over the course of the first six months of 2021.

“APIs are an increasing attack point,” Firstbrook said. “The internet runs on APIs. There’s a huge need for API security.”
Click to expand...

Salt Security: API attacks are increasing at an alarming rate - up 348% in six months

Across our customer base over the past 6 months, the Salt SaaS platform data shows that overall API traffic increased 141% while malicious traffic grew 348%. Looking at our customer data in more detail, we see our customers were experiencing an average of 12.22 million attack calls per month by June 2021. Note that our customers all have WAFs and API gateways deployed, so these API attacks got past those traditional security controls.

Such findings are consistent with broader industry research showing APIs as the dominant application attack vector.
Click to expand...

guest · Jul 17, 2022

API security moves mainstream
The heavyweights are now moving into API security, cementing it as “A Thing”
July 14, 2022

As swarms of IoT gear, seeking richer data retrieval from their cloud mother ships, the more robust – and more potentially dangerously hackable – API interfaces get a fresh push toward center stage.

With Google’s API security initiative Apigee, API security is growing up. And it’s not just IoT. Machine-to-machine data behind super slick UX designs needs seamless interfaces that help move its masses of data with less friction, offering more responsive mashups of tech polled from locations far and wide.
Click to expand...

Recently, we wrote about the spate of new startups at this year’s RSA Conference that tried to get attendees to wrap their heads around how to make sure an API doesn’t suddenly start misbehaving or does stuff no one knows about until it’s too late. It’s not just us: our friends at DarkReading purport to tally the mounting business losses associated with API hacks.

And now the heavyweights are moving into this space too, cementing API security as “A Thing”. Google’s Apigee Advanced API Security for Google Cloud aims to let organizations identify API misconfigurations and thwart malicious bots, the former being one of the main culprits of API security incidents.
Click to expand...

Expect to continue to see API hacks ramp up as companies wrestle with the prospect of securing yet-another-interface, this time an industrial one that sits at the heart of the cloud and big data, and – configured wrong – can allow vast troves of data to be siphoned off around the world to parts unknown. Just make sure it’s not your data.
Click to expand...

Google: Announcing Apigee Advanced API Security for Google Cloud

Organizations in every region and industry are developing APIs to enable easier and more standardized delivery of services and data for digital experiences. This increasing shift to digital experiences has grown API usage and traffic volumes. However, as malicious API attacks also have grown, API security has become an important battleground over business risk.

To help customers more easily address their growing API security needs, Google Cloud is announcing today the Preview of Advanced API Security, a comprehensive set of API security capabilities built on Apigee, our API management platform. Advanced API Security enables organizations to more easily detect security threats. Here’s a closer look at the two key functionality included in this launch: identifying API misconfigurations and detecting bots.
Click to expand...

guest · Aug 5, 2022

94% of survey respondents experienced API security incidents in 2021
August 3, 2022

Few assets in the attack surface cause as much hassle as APIs. Not only are many organizations’ APIs openly exposed on the internet, but they’re also reliant on these APIs to access critical data assets and applications.

New research released by API security provider Salt Security highlighted this trend by revealing that 94% of organizations responding to their survey experienced security issues in production APIs in the past year, with 20% stating their organization actually suffered a data breach as a result of API security gaps.
Click to expand...

These security issues could be as serious as openly exposing protected data online. For instance, among Salt’s customer base, 91% of APIS were openly exposing PII and sensitive data to threat actors.

For enterprises, this research highlights that most organizations need to reevaluate their API security strategies to ensure they have the maturity to protect APIs throughout the entire development lifecycle.
Click to expand...

Salt Security: API Security Incidents Nearly Universal Finds Latest “State of API Security” Report

It’s no secret that APIs are at the core of every modern application, and that makes them an enormously enticing attack target. Unfortunately, most organizations are unprepared to protect this ever-expanding attack surface, according to findings from the fourth edition of the Salt Labs pioneering “State of API Security” report.

The data, drawn from a combination of survey responses and empirical data from Salt Security customers, highlights a daunting scenario: exploding attack activity, insufficient existing practices, and overwhelmed teams who feel ill-prepared to deal with the API security issues.
Click to expand...

guest · Aug 20, 2022

API breaches prevalent despite development efforts
August 19, 2022

Monthly API security breaches occurred in the organizations of 20% of developers and API professionals, even though 51% noted that over half of the development efforts of their organizations have been directed toward APIs, VentureBeat reports.

Elevated API security incidence noted in the Postman study should prompt organizations to bolster API identification and security efforts. Inadequately protected shadow or published APIs may be causing more frequent API security incidents among some companies, which may also have more legacy systems and a lacking understanding of the API landscape, according to Postman CEO Abhinav Asthana.
Click to expand...

Asthana added that increasing mobile app prevalence has also emphasized the importance of increased API transparency and visibility.

"Many mobile apps have a number of backend APIs used to support it and they are often overlooked. Attackers have been abusing these backend mobile APIs for quite some time because they are often not secured and provide much more valuable content. You cant protect what you dont know about," said Asthana.
Click to expand...

VentureBeat: 20% of developers and IT pros say API security breaches happen monthly

API security is something that many security teams fail to get right. In the increasingly remote, modern work environments of today, there are so many apps and services that rely on APIs that analysts struggle to discover and secure.

Earlier this week, API provider Postman, released its 2022 State of the API Report — which surveyed more than 37,000 developers and API professionals — and found that 20% of respondents say API security incidents or breaches happen at least once per month at their organizations.
Click to expand...

Postman: 2022 State of the API Report

For the fourth year in a row, the State of the API is the largest and most comprehensive survey and report on APIs–and this year's was the biggest ever. More than 37,000 developers and API professionals shared their thoughts on topics including their organizations' development priorities, the economy, the tools they use, and where they see the industry going.
Click to expand...

guest · Aug 20, 2022

API security: Broken access controls, injection attacks plague the enterprise security landscape in 2022
Spring4Shell and Veeam RCE exploit topped the list in Q1 2022
August 19, 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.
Click to expand...

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.
The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.
Top API threats
Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’
Click to expand...

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.
Click to expand...

Wallarm: Whitepaper: API Vulnerabilities Discovered And Exploited in Q1-2022
(PDF): https://static.wallarm.com/wallarm-webflow/resources/api-vulnerabilities-discovered-and-exploited-in-q1-2022/API%20vulnerabilities%20discovered%20and%20exploited%20in%20Q1-2022.pdf

guest · Aug 20, 2022

Wallarm:
API Vulnerabilities Jump Up 3.7x in Q2-2022

Since the beginning of 2022, the Wallarm security research team has been analyzing API vulnerabilities and exploits, and releasing quarterly reports. The Q1 report got a lot of attention and positive feedback from the cybersecurity community, as well as a few valuable ideas and suggestions.

We included many of these in the Q2 API Vulnerabilities and Exploits report, which will be discussed in our upcoming webinar on August 8th.
Click to expand...

Key Findings
Some of the highlights which will be in the final Q2 API Vulnerability report include:

Injections (OWASP A03 / API8) are now the highest risk for APIs, ahead of BOLA by all metrics (number of discovered issues, exploitability and severity).

API threats grew 3.7x QoQ and already hit the 2 new exploits a day threshold, and the number of Critical and High risk API vulnerabilities have increased dramatically – all of which suggests that extra vigilance is needed.

33% of the reported API vulnerabilities are almost immediately exploited, with PoCs published within a median of 2-½ weeks.

Top cybersecurity, enterprise and DevOps products were affected by API security issues, including the following top-5 most impactful:

Click to expand...

Infographic - API Vulnerabilities And Exploits in Q2-2022
(PDF): https://hubspot.wallarm.com/hubfs/2022-Q2_API_vuln_report_infographic.pdf

guest · Jan 4, 2023

Toyota, Mercedes, BMW API flaws exposed owners’ personal info
By Bill Toulas @billtoulas - January 4, 2023

Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers' personal information.

The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.
The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.
Click to expand...

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.

While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.
The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.
Click to expand...

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

January 3, 2023
If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.

At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.
Click to expand...

guest · Jan 19, 2023

Credential Leakage Fueling Rise in API Breaches
By Kevin Townsend - January 19, 2023

There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials.
Click to expand...

In a survey of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens. Only 3% believed they are not effective in protecting the credentials – and yet API breaches continue to rise.

The cause of this apparent contradiction is probably threefold: a lack of visibility into existing APIs, the sheer volume of APIs that are in use, and the amount of time already being spent on managing the credentials for those APIs. The survey conducted by Corsha discovered that 64% of companies are managing more than 250 API credentials across their network (with 3% managing more than 1,000).
Click to expand...

Credential rotation is one of the best manual practices to keep API secrets secret. Today, 27% of the survey respondents reported (PDF) that they rotate their API secrets only once per quarter, and sometimes only once per year. The strain on existing resources in a difficult economy combined with a growing API usage will make credential leakage more widespread, and credential rotation more problematic.

“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight,” notes Scott Hopkins, COO at Corsha.
Click to expand...

guest · Jan 24, 2023

DuoLingo investigating dark web post offering data from 2.6 million accounts
By Jonathan Greig @jgreigj - January 24, 2023

Language learning platform DuoLingo said it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500.
Click to expand...

A spokesperson for the company said they are aware of the post, which was created on Tuesday morning and offers emails, phone numbers, courses taken and other information on how customers use the platform.

“These records were obtained by data scraping public profile information,” a spokesperson said.
“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.”
Click to expand...

In the post, the hacker said they obtained the information from scraping an exposed application programming interface (API) and provided a sample of data from 1,000 accounts.

There are now a number of tools that allow people to scrape APIs and extract troves of data from websites. Sometimes the information is public but in many cases it is exposed through links to other sites.
Click to expand...

Log in or Sign up

Security Incidents targeting APIs continue to grow

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Security Incidents targeting APIs continue to grow

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches