OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. It’s a good time to pay attention to API security, since some high-profile breaches have involving APIs in recent months — most notably, at Capital One.
API-enabled breaches in the news
According to a report released by Akamai earlier this year, API calls now represent 83% of all web traffic. Web-enabled applications already have 40% of their attack surface in the form of APIs instead of user interfaces, according to a recent Gartner report. By 2021, APIs will account for 90% of the attack surface. By 2022, according to Gartner, API abuses will become the most-frequent attack vector.
The problems have already begun. Recent examples of organizations in the news due to API-related breaches include McDonald’s, Facebook, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, Snapchat and the US Internal Revenue Service.