Application programming interface (API) vulnerabilities surged 21% in the third quarter, with cloud-native infrastructure increasingly targeted by cybercriminals, according to Wallarm’s Q3 2024 API ThreatStats report.

The vulnerabilities had an average CVSS score of 7, with many reaching 7.5, highlighting their high severity and ease of exploitation.

The report also found nearly a third (32%) of vulnerabilities were tied to cloud-native software, reflecting the increasing focus of cybercriminals on cloud infrastructure.

Ivan Novikov, CEO, Wallarm said while a 21% increase is concerning, there have been increases nearly every quarter since the company started tracking at the beginning of 2022.

“We hear pretty consistently that organizations just don’t know what APIs they have, so the key strategy to prioritize is API discovery,” he said. “Getting a handle on how many APIs you have should be first, followed by understanding what risk they present.”

Novikov added that eliminating unnecessary or orphan APIs can do a lot to reduce risk, even before IT security teams start doing deeper security scanning.

The report found Incidents involving client-side API flaws, such as OAuth misconfigurations and Cross-Site Scripting (XSS), contributed to major breaches at companies like Hotjar and Business Insider.

Additionally, poorly secured APIs with weak authentication amplified the scale of breaches at Deutsche Telekom and Fractal ID, allowing attackers to extract entire datasets.

Risk Assessment, Protection, Risk Reduction

Novikov said while the attack surface may have shifted to APIs, the basic best practices haven’t changed.

“Start with awareness of the problem, risk assessment, protection, then proactive risk reduction,” he explained. “The challenge is that these best practices aren’t always easy practices, and with a move to API technologies, the tools required have changed.”

The report stressed that API security is critical for AI systems, as APIs are essential for connecting models, data, and infrastructure.

In addition, the new generation of generative AI (GenAI) tools are tightly coupled to APIs.

“While you may interact through a web browser, the back end is all API driven,” Novikov said.

Furthermore, the organizations that are integrating generative AI into their products and services are doing so via APIs.

“There really is no AI without APIs,” Novikov said. “Securing the APIs that drive AI requires that you know where they are and that you put in place tools to monitor, analyze, and protect that AI API traffic.”

Devs, Security Teams Must Collaborate

The report examines all the publicly available data about API vulnerabilities, but Novikov added it’s important to keep in mind that many more API vulnerabilities out there haven’t been published and assigned a CVE ID.

“That means you have to protect against so-called zero-day attacks,” he said.

This means API protection tools must be capable of analyzing the API traffic reaching the company, the protocols being used, and the ability to detect novel attacks that aren’t targeting a known vulnerability.

Novikov noted shared problems require shared solutions, but development and security haven’t traditionally had a great relationship.

“Development is all about velocity and time to market, while security is all about risk assessment and caution,” he said. “Finding common ground can be tough.”

He recommended security look for ways they can provide value back to developers — for example, sharing information about what’s deployed in production can be valuable.

Identifying how production APIs deviate from their specifications can be valuable and information about how actual clients, malicious or not, interact with the APIs can be valuable.

“Ultimately, these two groups need each other to be successful at reducing risk,” Novikov said.