Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Application programming interface (API) and bot attacks are on the rise, according to a new report, costing companies and organizations billions of dollars.
September research from Imperva, a cybersecurity firm and subsidiary of aerospace and defense corporation Thales, found that API and bot attacks cost $94–$186 billion in global losses annually. Part of the reason for that is the widespread adoption of APIs, the report noted, leading to an increase in attack surface.
Erez Hasson, Imperva senior product marketing manager, told IT Brew that “part of why we wanted to focus on these two attacks specifically, is actually the overlap, which is when bots target APIs specifically.”
“Oftentimes organizations don’t necessarily have visibility into all of their APIs, which brings a common question in cybersecurity that we like to ask—how can you protect what you can’t see?” Hasson said. “Now these APIs are handling a lot of sensitive processes, sensitive information, or business processes.”
Boot camp. For Jim Routh, chief trust officer at Saviynt, the high rate of API adoption correlates to the technology’s “tremendous promise and upside potential for organizations.” While that promise and potential expands the threat surface, he told IT Brew, there’s a solution—added controls and security.
“Just like anything else, from a technology standpoint it’s a little bit more complex,” Routh said. “The extended attack surface requires you to do some different things in API management and governance and get some tooling in place to support that management and governance process, especially as the enterprise scales the use of microservices and the attack surface extended through APIs.”
Unsurprisingly, attackers tend to target companies with revenues of $100 billion or more, the Imperva report found, both because of the payoff and because of widespread API adoption in larger enterprises. Hasson told IT Brew that’s part of the natural tradeoff when you run a big company—you end up adopting technology and opening the door to specific attacks that aim directly at it.
“These organizations have just adopted APIs more, so the attack surface is much larger for them, which is why you would see that the largest organizations are at the highest risk of API attacks.” Hasson said.
Balanced take. Still, as Routh noted, “it doesn’t mean that APIs are bad.” The technology is helpful and allows organizations to efficiently direct their workflows. It’s a matter of understanding risk.
“APIs are hugely enabling and really allow integration in ways that were never possible across environments, across hosting providers, across software running in lots of different places,” Routh said. “So, it’s a positive thing for the industry, but it does require additive control capability and API security products.”