Q1-2023 API ThreatStats™ Report

According to a Mar-2022 API survey by Gartner, 98% of organizations use or are planning to use internal APIs – up from 88% in 2019. And 90% of organizations use or are planning to use private APIs provided by partners – up from 68% in 2019.

Obviously, there’s a big blind spot in your API security posture if you’re only focused on protecting your public-facing APIs. This is backed up by our latest findings, which you can find in the Q1-2023 API ThreatStats™ report infographic.

The initial analysis the API vulnerabilities publicly released in Q1-2023 suggests a continued slow rise in the number, while the severity remains in the High range. But as we’ve seen in previous reports, what’s hidden beneath the surface is that will bite you.

Key Takeaways

As always, digging deeper into the data provides us with a better view of where these API vulnerabilities will impact defenders and builders alike.

Protect Your Private APIs

Defending your internal infrastructure continues to be job #1.

Q1-2023 saw a big rise in security vulnerabilities found in key components of internal processes, such in SAP NetWeaver AS for Java (CVE-2023-0017) and NVIDIA’s graphics cards (CVE-2022-42279). In all, our top-10 Most Impactful API vulnerabilities all fell in the internal infrastructure categories – Dev Tools, Enterprise HW / SW, and Cloud Platforms. And the products impacted include names such as GitLab, Kubernetes, and HashiCorp.

Find the complete list in the Q1-2023 API ThreatStats™ report infographic.

This is not to throw shade on these companies. Rather, these vulnerabilities highlight the urgent need for tech-driven companies to prioritize securing their private APIs to protect valuable data and maintain business continuity.

Protect Against Injection Vulnerabilities

In short, injection vulnerabilities are your Achilles Heel. No matter how you count them, a huge number of all API vulnerabilities cataloged in Q1-2023 fell into this bucket.

On one hand, 29.4% of all API vulnerabilities were classified in the OWASP APIsec Top-10 API8:2019 (Injection) category – which saw it dip below another category for the first time.

On the other hand, 45.3% of all API vulnerabilities were linked to a CWE which falls in the Injection bucket, including CWE-79 (XSS) at 10.1% overall, CWE-89 (SQLi) at 7.4% overall, and CWE-863 (GraphQL Mutation) at 6.6% overall. Combined, these accounted for 53% of all injection vulnerabilities assessed.

Protect Against Exploits

Last quarter we saw the time-to-exploit – the gap between when an API vulnerability (CVE) is published and an associated exploit proof of concept (POC) is published – averaged -3 days!

In Q1-2023, this gap reverted to favor defenders again, with the time-to-exploit gap averaging +11 days. In addition, we saw a big drop in the number of exploit POCs being published – from 65 (or about 30% of all vulns) last quarter to 24 this quarter (or about 10% of all vulns).

All this is good news, to be sure. But there are a couple of reasons to be cautious:

• First, the average CVSS score for exploited API vulnerabilities is in the High range (8.9 – 7.0), meaning hackers (no matter their stripes) are not just focused on Critical (9.0 – 10.0) vulnerabilities but are finding less obvious exploits.
• Second, while this appears to be a case of “reversion to the mean” (the overall average for 2022 was +9 days), we suggest that a) the 2022 data was skewed by our limited data collection in the first half of the year, and b) the Q1-2023 data might be skewed for external reasons such as year-end holidays.

It’s too early to call a trend here, and we’ll continue monitoring to see if one can be discerned.