In 2022, the Wallarm Threat Research team went through almost 350,000 reports to find 650 API-specific vulnerabilities, and tracked 115 published exploits impacting these vulnerabilities – all of which could negatively impact your business risk posture.

The 2022 Year-End API ThreatStats™ Report presents the analysis and discussion of 2022 API vulnerability, exploit and (new, for this report) attack data. We also offer some predictions to help improve your API security in 2023.

According to John Grady at ESG, the no. 1 challenge facing organizations which are increasingly reliant on APIs is keeping pace with API-targeted threats. We present this report in hopes it will help AppSec and DevOps teams overcome that challenge.

In our 2022 year-end assessment of API vulnerabilities, exploits and attacks, we focus on emerging trends which we believe will impact API defenders in 2023. Of particular importance are:

  • The API threat landscape is growing ever more dangerous, not only because of the volume and potential impact of the API-specific vulnerabilities, but also because of the increased volume of attacks and, perhaps most importantly, the foreshortened timeline to protect against exploits in the wild.
  • You cannot rely on OWASP alone to triage your API vulnerabilities in production, given the dominance of the “down rank” Injection (API8:2019) category, the slew of variants contained in that Injection category, and the near irrelevance of several categories.
  • Focus on open-source software (OSS) in your API portfolio – be it public-facing or for internal use – because the trend in vulnerabilities found in OSS products means they are the predominant threat in your environment.

Read the full report to see all the data and full analysis.

But let’s spend a moment in this post to dive into the “foreshortened timeline to protect against exploits.” As we have done since Q2-2022, we examine the time-to-exploit – that is, the time between when a CVE is published and an exploit proof-of-concept (POC) taking advantage of that CVE is published. [We did not collect this data in Q1.]

We created a simple box-and-whisker plot (below) – depicting each quarter’s range (min./max), quartiles and averages – to better visualize the 2022 data. [Note we’ve omitted the medians for clarity.] What we see is a definite trend in average time-to-exploit – from 58 days in Q2 to four (4) days in Q3 to negative three (-3) days in Q4. This trend (roughly estimated by the red arrow) definitely does not bode well for defenders.

Bar-and-Whisker chart showing the range (min / max), 1st & 3rd quartiles, and average time-to-exploit data for Q2-2022, Q3-2022, Q4-2022, and for the entire year.

Given the nature of this data collection effort (from the vagaries of the CVE process to the unknown exploit POCs floating out there), it’s too difficult say definitively that this trend will continue in 2023 – but seems fair to say that unless there’s a sharp turn-around, 2023 will be a tough year for defenders.

The full report delves into this and several other areas in much greater detail. We also invite you to listen to our 2022 Year-End API ThreatStats™ Report webinar on-demand in which Ivan goes into greater detail on some of the most impactful API vulnerabilities seen in 2022.

You can also access the previous reports for a deeper dive into each quarter’s data and analysis:

All this impacts everyone working in the API ecosystem – whether developing APIs for customer use, leveraging them to support critical business purposes, or both – and it’s important to work with a partner who can explain what these trends really mean and how to mitigate the associated risks and impacts.

To learn how we can help you: