API Security Losses Total Billions, But It’s Complicated

US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and DevOps-style development methodologies, according to an analysis of breach data.

In the last decade, API security has grown to become a significant cybersecurity issue. Acknowledging this, the Open Web Security Application Project (OWASP) released a top-10 list of API security issues in 2019, flagging major API weaknesses — such as broken authorization for objects, weak user authentication, and excessive data exposure — as critical issues for software makers and companies that rely on cloud services.

According to the Quantifying the Cost of API Insecurity report out this week, published last week by application-security firm Imperva and risk-strategy firm Marsh McLennan, security issues will only likely grow as APIs continue to become a common pattern for cloud and mobile infrastructure.

“The growing security risks associated with APIs correlates with the proliferation of APIs,” says Lebin Cheng, vice president of API security for Imperva. “The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs.”

Interestingly, the business losses have less to do with API-specific issues, the analysis found. Rather, breach recovery and interruption of operations account for the majority of the cyber-losses. Only a small subset of companies in any country suffered losses directly linked to API vulnerabilities, the report found.

API Losses Vary by Business Segment

The Marsh McLennan data comes from reported breaches, which represents a subset of all businesses. It found that when drilling down into the data, important differences between impact can be drawn out.

For instance, certain kinds of companies (larger firms in IT and professional services, for example) are much more likely to face API-related security incidents than others (smaller companies, say, in the finance sector).

“The $12 billion is not distributed over millions of…