APIs vulnerabilities is a high-stakes game for companies worldwide

The evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022.

APIs are inherently designed to be fast and easy pipelines between different platforms. While this priority on convenience and user experience leads APIs to be highly essential to many businesses, it also makes them appealing targets for cybercriminals.

The frustrating patterns of API vulnerabilities has increased despite the improvements made in Software Development Life Cycles (SDLCs) and testing tools. Often, API security is relegated to an afterthought in the rush to bring them to market, with many organizations relying on traditional network security solutions that are not designed to protect the wide attack surface that APIs can introduce.

For example, APIs are often hidden within mobile apps, leading to the belief that they are immune to manipulation. Developers make the assumption that users will only interact with the APIs via the mobile user interface (UI), but that is not the case, according to an Akamai report.

“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” Steve Ragan, Akamai security researcher, said.

Credential stuffing attacks tracked across the 18 months between January 2020 and June 2021 remained steady, with single day peaks of over 1 billion attacks recorded in January 2021 and May 2021, Akamai reported.

The U.S. was the top target for web application attacks during this observed period, with nearly six times the amount of traffic than England, which ranked second. DDoS traffic has remained consistent in 2021 so far, with peaks recorded earlier in Q1 2021.