Since December, we’ve had a 2,204% increase in OT recon drive by’s, a 300% increase in API traffic and a 600% increase in API-driven ransomware attacks.

JumpCloud, following their supply chain breach 2 weeks ago, has reset all of its customer API keys, in what they referred to as an “ongoing incident.” The latest disastrous spectacles in Hayward, CA and Wisconsin and the accumulating debris from the MOVEit strike, now 347 companies affected, testify to our inability to prevent and protect.

While all of the reported breaches are not through vulnerable APIs, the use of APIs has doubled and tripled in the last two years.

APIs are great for folks who want to make use of the functions and data of other companies, create new revenue models by providing multiple platforms to promote and sell digital services and products, while enabling businesses to connect with other services and platforms across industries.

While they can undoubtedly increase the efficiency of overall business operations, the other thing they increase are threat vulnerabilities. By a lot.

API attacks result in data breaches, DDoS, SQL injection, man-in-the-middle attacks, they spread malware, and they allow anyone to authenticate as a user. The combination of APIs and Ransomware is a dead zone.

The average company has around 85 APIs in production systems. These APIs have never been vetted and rely on dependencies unknown to their developers. In fact, research from NC State U, claims over 100,000 GitHub repo’s leaked API or cryptographic keys in 2022. And that thousands of new API or cryptographic keys leak via GitHub projects every day.

Aware of the potential threat, we try to wipe out the bad guys through pre-production API security and a focus on trying to identify security issues during the development phase. But, we just aren’t that smart, or disciplined.

Most API attacks exploit logic flaws that become evident only when the applications enter the runtime phase. It is really hard to reason through imagined compiled code and catch the vulns. In spite of this known threat, most companies don’t employ security teams at that point in the development lifecycle. Lacking a last mile cybersecurity strategy, most companies rely on the API vendor for assurance.

Contributing to this threat landscape is the huge number of abandoned “zombie” APIs that lie in wait as open vulnerabilities, presenting opportunities to hackers.

And finally, the threat is inflated by the sizeable quantity of transient API dependencies about which we have no visibility nor insight because we don’t have a reliable tool or sufficient resources to find them.

Because this threat joins many others in the category of ‘can’t stop this train now’ thinking, we can expect compromised APIs to explode in 2023.

Check your API controls. Can’t, can you? It’s hard to know how messed up you are if you can’t see inside.