
AppSec predictions 2021: Attackers increasingly pivot to APIs
This is the second in a three-part series of AppSec predictions for 2021. You can read the complete series here.
Every year(ish), I publish our AppSec predictions about three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks. This year our predictions are informed by our augmented Threat Intelligence Service, which is a part of Barracuda Advanced Bot Protection. In short, we have significantly more data informing our conclusions.
Attackers increasingly pivot to APIs from web applications
Most apps are built API-first these days. Building them in this manner helps speed up development, and releases happen much faster. You also get newer forms of applications like Single Page Applications that are built to work with mobile browsers and simulate mobile apps without the need for installing an app.
“By 2021, at least one-third of enterprises will have deployed a multi-experience development platform to support mobile, web, conversational and augmented reality development.”
Gartner’s API Strategy Maturity Model, Oct 2019

What makes APIs even more dangerous is the fact that they provide access to a lot of sensitive information directly. Your banking API may provide access to your social security number or national identification number or date of birth, and an improperly protected API will allow attackers to pull these numbers out in bulk.
“APIs Are The New Storefront, But Security Hasn’t Kept Pace.”
Forrester’s API Insecurity: The Lurking Threat In Your Software, Oct. 2020
As Forrester rightly puts it, APIs are here — but security has not kept pace. This is true of most emerging technologies. With APIs, we see some repeating patterns — lack of rate-limiting, lack of access control and authorization, lack of role-based controls — and most important of all, the public exposure of APIs that are being tested on the internet. This has led to a number of high-profile data breaches in the recent past, like with Airtel, Just Dial, etc.
Rise of the OWASP API Top 10
API attacks are now seen as dangerous enough that there is an OWASP Top 10 for APIs. The new OWASP API Top 10 has some familiar attacks from the web app lists over the years! Old attacks are new again, and in some cases, we don’t seem to have learned from the past. Some of the biggest threats are marked out here, and, for instance, rate limiting is a big one. You see this being a problem across the board. For example, there was a TMobile-Apple API for onboarding new phones two years ago that was not rate-limited. You could have any number of tries to figure out the PIN for a given user.
You also have injection attacks like SQL injection that have been at the top of the web lists for a very long time — and continue to plague API-based applications. The first one, BOLA, caused a big problem when Shopify exposed an API a few years ago without proper authorization controls. They didn’t check for permissions to access revenue data for shops hosted on their platform and ended up exposing the data from a lot of shops publicly.
That said, it is a very good thing that we now have the OWASP API Top 10 because it provides developers with a frame of reference against which to secure their APIs.
"APIs may get blamed when really it’s the app, infrastructure, or user at fault."
Forrester’s API Insecurity: The Lurking Threat In Your Software, Oct. 2020
This is particularly true with APIs. Developers end up exposing things like API keys on public GitHub repositories and then have a surprised Pikachu face when the API gets hacked.
Expect to see many high-profile API breaches (like the recent Parler iOS app breach before the shutdown) this year.
Come back next week for part three in this series. For more on application security, join our experts for an informative panel discussion about current cybersecurity trends, web application security, 2021 technology predictions, and a lot more. This webinar is free and available on-demand: