According to a Mar-2022 API survey by Gartner, 98% of organizations use or are planning to use internal APIs – up from 88% in 2019. And 90% of organizations use or are planning to use private APIs provided by partners – up from 68% in 2019.
Obviously, there’s a big blind spot in your API security posture if you’re only focused on protecting your public-facing APIs. This is backed up by our latest findings, which you can find in the Q1-2023 API ThreatStats™ report infographic.
The initial analysis the API vulnerabilities publicly released in Q1-2023 suggests a continued slow rise in the number, while the severity remains in the High range. But as we’ve seen in previous reports, what’s hidden beneath the surface is that will bite you. Let’s walk through our latest findings.
Expanding API Vulnerabilities
Let’s start with results from the top-line analysis:
Another basic breakdown which might impact your API estate is Commercial vs. Open-Source Software (OSS) products. In Q1-2023 we see a continuation of the 2022 trend – OSS products continue to dominate the field at 78% of all API vulnerabilities analyzed, a huge jump over 67% seen in Q4-2022. It’s tempting to extrapolate this trend to forecast when *all* API vulns will be found in OSS products, but that would be foolish in the extreme.
Key Takeaways
As always, digging deeper into the data provides us with a better view of where these API vulnerabilities will impact defenders and builders alike.
Protect Your Private APIs
Defending your internal infrastructure continues to be job #1.
Q1-2023 saw a big rise in security vulnerabilities found in key components of internal processes, such in SAP NetWeaver AS for Java (CVE-2023-0017) and NVIDIA’s graphics cards (CVE-2022-42279). In all, our top-10 Most Impactful API vulnerabilities all fell in the internal infrastructure categories – Dev Tools, Enterprise HW / SW, and Cloud Platforms. And the products impacted include names such as GitLab, Kubernetes, and HashiCorp.
Find the complete list in the Q1-2023 API ThreatStats™ report infographic.
This is not to throw shade on these companies. Rather, these vulnerabilities highlight the urgent need for tech-driven companies to prioritize securing their private APIs to protect valuable data and maintain business continuity.
Protect Against Injection Vulnerabilities
In short, injection vulnerabilities are your Achilles Heel. No matter how you count them, a huge number of all API vulnerabilities cataloged in Q1-2023 fell into this bucket.
On one hand, 29.4% of all API vulnerabilities were classified in the OWASP APIsec Top-10 API8:2019 (Injection) category – which saw it dip below another category for the first time.
On the other hand, 45.3% of all API vulnerabilities were linked to a CWE which falls in the Injection bucket, including CWE-79 (XSS) at 10.1% overall, CWE-89 (SQLi) at 7.4% overall, and CWE-863 (GraphQL Mutation) at 6.6% overall. Combined, these accounted for 53% of all injection vulnerabilities assessed.
Find the complete list in the Q1-2023 API ThreatStats™ report infographic.
Protect Against Exploits
Last quarter we saw the time-to-exploit – the gap between when an API vulnerability (CVE) is published and an associated exploit proof of concept (POC) is published – averaged -3 days!
In Q1-2023, this gap reverted to favor defenders again, with the time-to-exploit gap averaging +11 days. In addition, we saw a big drop in the number of exploit POCs being published – from 65 (or about 30% of all vulns) last quarter to 24 this quarter (or about 10% of all vulns).
All this is good news, to be sure. But there are a couple of reasons to be cautious:
It’s too early to call a trend here, and we’ll continue monitoring to see if one can be discerned.
OWASP Mapping
In past API ThreatStats™ reports we looked at how the collected API vulnerabilities map across the OWASP Top-10 (2021) for web apps and the OWASP APIsec Top-10 (2019) lists.
To be frank, this exercise has lost most of its impact. By now we all know that there is significant overlap between these two OWASP Top-10 lists, and that Injections dominate the findings.
What *is* interesting this quarter is that for the first time since we started this project, the number of API8:2019 (Injection) vulns has dropped below the historically #2 API1:2019 (BOLA) – as seen in the graphic above.
And we ran an experimental mapping of Q1-2023 API vulnerability data against the proposed OWASP APIsec Top-10 2023RC. It’s unsurprising to see that API10:2023RC (Unsafe Consumption of APIs) overshadow all the other categories, given that it now (somewhat controversially) includes Injection vulns. See the entire break-down in the Q1-2023 API ThreatStats™ report infographic.
And watch our on-demand webinar to learn more about the proposed OWASP APIsec Top-10 2023RC and how it will impact your API vulnerability management program.
Putting Real-World API Vulnerability Data to Work for You
While the Q1-2023 API vulnerabilities continued the slow & steady growth seen throughout most of 2022, our deeper analysis reveals these key takeaways which have big implications for your API security programs.
Download the Q1-2023 API ThreatStats™ report infographic to get the low down on our findings, and stay tuned for the full report coming soon.