Wallarm 2022 Year-End API ThreatStats™ Report Provides Important Insights for 2023 API Security

SAN FRANCISCO--(BUSINESS WIRE)--Wallarm, the end-to-end API security company, today released its 2022 Year-End API ThreatStats™ Report, providing in-depth analysis into published API vulnerabilities, exploits, and attack data for the year.

‍

After combing through 350,000 reports to find 650 API-specific vulnerabilities from 337 different vendors and tracking 115 published exploits impacting these vulnerabilities, the results clearly illustrate that the API threat landscape is becoming more dangerous. The Wallarm Research Team came to this conclusion based on the 2022 data, and specifically these three trends:

• Attack Growth. In 2022 there was a huge increase in attacks against Wallarm’s customers’ APIs, which ballooned over 197% from H1 to H2. As API-related breaches influence today’s headlines, it’s clear that this trend is extrapolating beyond Wallarm customers and will continue to grow in 2023.
• CVE Growth. In 2022 there was a significant increase in API-related CVEs, growing +78% from H1 to H2. Although growth has stabilized over the past two quarters, the research team expects an increase in 2023.
• Worsening Time-to-Exploit. Since tracking this metric in Q2 2022, the research team has seen a continued decline in the average time between when a CVE is published and when the related exploit POC is published – from 58 days (Q2) to four (4) days (Q3) to negative three (-3) days (Q4). Additionally, the average zero-day exploit found in Q4 was released more than two months before the CVE was published.

“It's obvious from recent news about mega breaches involving APIs, such as Optus and T-Mobile, that the API threat landscape is becoming more dangerous,” said Ivan Novikov, CEO and co-founder of Wallarm. “In this report, our research team provides API security practitioners and executives with data-driven insights into how to improve their API security posture in 2023. Briefly, we found that API threats tripled in 2022 with exploits available before we even know about the vulnerability, that the current OWASP API Security Top-10 list does not accurately reflect reality where Injections are the primary attack vector, and that open-source software, especially DevOps and cloud-native tools used to build new companies and technologies, is a growing target. Overall, the traditional approaches to protecting your APIs need to adapt to these new realities.”

Based on the research, the research team has concluded that API portfolios will be at greater risk in 2023 as organizations struggle to improve API security, both during the development cycle and in production. The full report also examines the most prevalent types of threat vectors, the most vulnerable types of APIs, and much more. API security and DevOps teams can leverage these data-driven insights to update their remediation policies for 2023.