Salt Security on Wednesday reported that nearly 70% of financial services and insurance companies have suffered rollout delays because of API security. But of much greater concern is that 92% have had security issues in production APIs.
The new report combines empirical data from Salt customers and findings from two separate surveys to offer an in-depth analysis of the impact of API security threats and vulnerabilities on these vertical industries.
Some other important findings include: 69% of financial services/insurance respondents say they have experienced rollout delays because of API security issues — 11% higher than the overall response average — and 17% of total respondents had experienced an API-related breach.
Of special concern to security pros was that 84% of attacks against financial services and the insurance sectors came from “authenticated” users who appeared legitimate, but were actually attackers. Finally, more than 25% of respondents say they have no API strategy.
“APIs are essential for the innovative digital services being delivered today by financial and insurance organizations,” said Roey Eliyahu, co-founder and CEO of Salt Security. “However, because these APIs transport sensitive customer and financial information, cyber criminals also know they share a wealth of data that they can leverage for theft or fraud. The findings show these companies are suffering significant increases in attacks and other security issues, increasing their vulnerability to API-related incidents.”
Given the rise in attacks, and the costs associated with API security breaches, such as fines, loss of customer trust and reputational damage, securing APIs to protect digital services has become much more of a business priority: 56% of financial services-insurance respondents said API security has become a C-suite issue; and 79% of CISOs in those sectors say securing APIs has become a higher priority than two years ago.
While APIs have become a ubiquitous part of the cyber landscape in the past few years, the security industry has lagged behind the need for standards, best practices, and automated tools to both develop and deploy APIs securely, as well as test existing APIs for exploitable vulnerabilities, said Georgia Weidman, security architect at Zimperium.
Weidman said the Open Web Application Security Project (OWASP) first created a Top 10 for API Security in 2019 with a new edition earlier this year, but on the whole, there’s still a great need for education, tools on both the offensive and defensive side, as well as standards and best practices on how to secure APIs.
“The Salt Security report clearly reflects that while the software and security industries have much work to do in this area, bad actors are already hard at work taking advantage of the current lack of API security,” said Weidman.
Mike Parkin, senior technical engineer at Vulcan Cyber, said while users are nearly always the easiest vector, today’s trend of increased API attacks shows that threat actors are finding it a fruitful attack vector. Parkin said properly securing API's has become a challenge though, especially for internal ones that often operate under an "assumed more secure" posture because they are internal.
“It's good to see leadership taking the threat seriously in the insurance and financial services sectors, though it's somewhat disturbing that nearly 1 in 5 say they have experienced an API related breach,” said Parkin. “It’s also interesting to note how many of the API attacks — more than 4 out of 5 — came from ‘authenticated’ attackers. While they don't go in-depth on what it specifically represents, there’s an implication that authentication remains a separate and serious issue.”