Application programming interfaces (APIs) have become the cornerstone of the digital ecosystem, handling a significant share of internet traffic and enabling seamless interactions among various software systems and platforms.
In the banking sector, for instance, the use of APIs is on the rise, with a strong potential for transforming how financial services are delivered and accessed.
As Claire Melling, then NatWest Group head of Bank of APIs, told PYMNTS in an interview last year, “there’s an opportunity to API-enable pretty much all customer journeys,” and financial institutions (FIs) can play “a key part in smoothing out those journeys” given their extensive engagement with customers.
Moreover, APIs offer vast possibilities in traditional banking functions like payments, loans and homebuying, as well as in data sharing, Melling added: “There are opportunities everywhere, and as trusted organizations, we have a part to play in [offering those solutions to] our customers.”
However, despite their widespread use and potential, API security frequently takes a back seat, leading to an increasing number of cybercriminals exploiting the expanding API economy, as outlined in a recent report by Computer Security (CSO) Online.
“APIs are pivotal in developing new capabilities within companies. However, their security often receives inadequate attention, either overlooked in early planning stages or failing to match the pace of rapid technological deployment,” the report said.
In fact, APIs were the target of nearly 30% of web attacks in 2023, the report noted citing research from Akamai, with the commerce sector bearing the brunt of attacks at about 44%. Following closely, the business services sector faced nearly 32% of attacks. These attacks varied from local file inclusion (LFI) and SQL injection (SQLi) to cross-site scripting (XSS).
This concerning trend is further substantiated by research from Fastly, indicating that APIs have become a favored gateway for cybercriminals executing account takeover attacks.
According to the study’s findings, 95% of respondents reported experiencing API security issues within the past year alone. Moreover, a significant 84% of respondents admitted to lacking advanced API security measures, while 79% admitted to delaying the rollout or integration of new applications due to concerns over API security due to “insufficient budget” and a “lack of expertise.”
The challenge lies in the stark disparity between acknowledging the critical importance of API security and effectively translating this awareness into actionable measures. Despite the rapid evolution of the digital landscape, the response to mitigate the risks associated with APIs frequently appears to fall behind, providing fertile ground for cyberthreats to thrive.
The narrative underscores a pivotal mandate for organizations to reassess their approach to API security. It calls for a concerted effort to bridge the gap between awareness and action, with a focus on allocating adequate resources and fostering expertise in safeguarding APIs against emerging threats.