API Vulnerability Lives at the Heart of the Breach

PUBLISHED ON February 11, 2019
LAST UPDATED March 11, 2022

*We are thrilled to introduce and feature David Geer on the ThreatX Blog. David is a content marketing writer and market influencer specializing in cybersecurity.*

You’ve heard that nation-state hackers stole 145 million consumer records in the 2017 Equifax breach. Did you know that this attack and breaches at Amazon, Facebook, T-Mobile, and the Black Hat security conference all targeted vulnerable APIs?

Thanks to APIs, your consumers, employees, and partners benefit from robust applications with rich features. But, cyberthugs profit too, because they can leverage APIs and their flaws to get to your data.

Thousands of new APIs become available each year on ProgrammableWeb.com alone. The global cloud API market will generate more than $1.7 billion in revenues by 2026, according to Persistence Market Research. With organizations like yours creating and using more APIs each year, the attack surface grows ever broader. Any solution must surround and secure your APIs, apps, and data despite the burgeoning landscape.

Attack surfaces, vulnerabilities, and data

Broad attack surfaces with numerous vulnerabilities provide access to valuable data, drawing criminal hackers. There are more than 20,000 APIs available on ProgrammableWeb.com. API Hound touts a database of 50,000 APIs. Enterprises use hundreds of APIs in their many applications. Their consumption of these essential software conduits seems unending.

Developers create APIs that connect applications across the gamut of environments and devices. APIs traverse operating system software and databases, multiplying the places where cyber crooks can launch attacks and steal your information.

APIs have many vulnerabilities seated in software programming errors. These coding flaws leave APIs vulnerable to attacks like code injections and many of the same exploits that plague other software.

Criminal hackers use APIs to breach consumer records that contain PII, including any personal details, location or contact information, or accounts. Cyber hoodlums hack APIs to reach into healthcare databases that have PHI such as payment information, prescriptions and diagnoses, and the dates and locations of medical services.

Cybercriminals use APIs to get to your IP. They can access hard drives, servers, and databases that contain the proprietary data you’ve worked so hard to accumulate.

The fallout 

Attacks on APIs end in the same tragedies that other high-profile breaches do.

Whether PII, PHI, or IP, the stolen data can become a currency on the black market known as the dark web. Black hat hackers can publish it to the internet for all to see. Nation-states engaging in cyber espionage can use your IP to grow their economies. Cybercrooks can corrupt or destroy your data without moving it.

Organizations that fall victim pay for forensic investigations and the laundry list of breach expenses that ensue. They suffer brand damage and forfeit business and revenues. Some companies fire the leaders they hold accountable for lapses in security. And some firms cease to exist when the dust settles.

Any harm to consumers comes full circle. They endure the identity, privacy, and financial hardships when attackers steal credit card data, PII, and PHI. They lose the time, money, and effort they must invest to recover sums and repair their credit. Consumers file lawsuits seeking restitution from companies like yours.

Privacy violations lead to penalties from the GDPR, HIPAA, and other regulatory bodies as well as lawsuits from states attorneys.

Regaining control through an intelligent, SaaS-based, behavior-based, next-gen WAF

Legacy Web Application Firewalls (WAFs) lack the reach to encompass all your APIs, apps, and data wherever they may live, which for many of you is mostly in the cloud. It’s impossible for programmers to identify every API coding error during development. Statistics show that about half of programming mistakes remain regardless of secure coding practices. Criminal hackers will continually find new vulnerabilities to attack, using new exploits that signature-based WAFs have never seen.

Only ThreatX’s next-gen WAF with its API security features and attacker-centric SaaS-based intelligence and behavior-based detection blocks cyber threats in real-time based on a risk score instead of rules. Whatever threats hit your APIs, apps, and data, the ThreatX risk score can trigger a response in keeping with the limitations of your risk appetite.

Get a personal demo of the ThreatX WAAP to see how you can:

  • Secure all your apps in hours, not weeks
  • ID threats and vulnerabilities in real-time, with high precision
  • Greatly reduce costly false positives
  • Reduce operational burden by eliminating costly rule and signature maintenance


About the Author