According to a Mar-2022 API survey by Gartner, 98% of organizations use or are planning to use internal APIs – up from 88% in 2019. And 90% of organizations use or are planning to use private APIs provided by partners – up from 68% in 2019.

Obviously, there’s a big blind spot in your API security posture if you’re only focused on protecting your public-facing APIs. This is backed up by our latest findings, which you can find in the Q1-2023 API ThreatStats™ report infographic.

The initial analysis the API vulnerabilities publicly released in Q1-2023 suggests a continued slow rise in the number, while the severity remains in the High range. But as we’ve seen in previous reports, what’s hidden beneath the surface is that will bite you. Let’s walk through our latest findings.

Expanding API Vulnerabilities

Let’s start with results from the top-line analysis:

  • The number of API vulnerabilities analyzed in Q1-2023 rose to 239 this quarter, up from 213 (+12%) last quarter.
  • The average CVSS score in Q1 fell a bit to 7.2 (High) versus 7.3 (High) in Q4-2022 – but note that the median has held steady at 7.5 (High) in each quarter since we started this effort.
  • We do see a somewhat lower number of Critical & High vulnerabilities (55% vs. 57%), but it’s too early to call this a trend.

Another basic breakdown which might impact your API estate is Commercial vs. Open-Source Software (OSS) products. In Q1-2023 we see a continuation of the 2022 trend – OSS products continue to dominate the field at 78% of all API vulnerabilities analyzed, a huge jump over 67% seen in Q4-2022. It’s tempting to extrapolate this trend to forecast when *all* API vulns will be found in OSS products, but that would be foolish in the extreme.

Key Takeaways

As always, digging deeper into the data provides us with a better view of where these API vulnerabilities will impact defenders and builders alike.

Protect Your Private APIs

Defending your internal infrastructure continues to be job #1.

Q1-2023 saw a big rise in security vulnerabilities found in key components of internal processes, such in SAP NetWeaver AS for Java (CVE-2023-0017) and NVIDIA’s graphics cards (CVE-2022-42279). In all, our top-10 Most Impactful API vulnerabilities all fell in the internal infrastructure categories – Dev Tools, Enterprise HW / SW, and Cloud Platforms. And the products impacted include names such as GitLab, Kubernetes, and HashiCorp.

Find the complete list in the Q1-2023 API ThreatStats™ report infographic.

This is not to throw shade on these companies. Rather, these vulnerabilities highlight the urgent need for tech-driven companies to prioritize securing their private APIs to protect valuable data and maintain business continuity.

Protect Against Injection Vulnerabilities

In short, injection vulnerabilities are your Achilles Heel. No matter how you count them, a huge number of all API vulnerabilities cataloged in Q1-2023 fell into this bucket.

On one hand, 29.4% of all API vulnerabilities were classified in the OWASP APIsec Top-10 API8:2019 (Injection) category – which saw it dip below another category for the first time.

On the other hand, 45.3% of all API vulnerabilities were linked to a CWE which falls in the Injection bucket, including CWE-79 (XSS) at 10.1% overall, CWE-89 (SQLi) at 7.4% overall, and CWE-863 (GraphQL Mutation) at 6.6% overall. Combined, these accounted for 53% of all injection vulnerabilities assessed.

Find the complete list in the Q1-2023 API ThreatStats™ report infographic.

Protect Against Exploits

Last quarter we saw the time-to-exploit – the gap between when an API vulnerability (CVE) is published and an associated exploit proof of concept (POC) is published – averaged -3 days!

In Q1-2023, this gap reverted to favor defenders again, with the time-to-exploit gap averaging +11 days. In addition, we saw a big drop in the number of exploit POCs being published – from 65 (or about 30% of all vulns) last quarter to 24 this quarter (or about 10% of all vulns).

All this is good news, to be sure. But there are a couple of reasons to be cautious:

  • First, the average CVSS score for exploited API vulnerabilities is in the High range (8.9 – 7.0), meaning hackers (no matter their stripes) are not just focused on Critical (9.0 – 10.0) vulnerabilities but are finding less obvious exploits.
  • Second, while this appears to be a case of “reversion to the mean” (the overall average for 2022 was +9 days), we suggest that a) the 2022 data was skewed by our limited data collection in the first half of the year, and b) the Q1-2023 data might be skewed for external reasons such as year-end holidays.

It’s too early to call a trend here, and we’ll continue monitoring to see if one can be discerned.

OWASP Mapping

In past API ThreatStats™ reports we looked at how the collected API vulnerabilities map across the OWASP Top-10 (2021) for web apps and the OWASP APIsec Top-10 (2019) lists.

To be frank, this exercise has lost most of its impact. By now we all know that there is significant overlap between these two OWASP Top-10 lists, and that Injections dominate the findings.

What *is* interesting this quarter is that for the first time since we started this project, the number of API8:2019 (Injection) vulns has dropped below the historically #2 API1:2019 (BOLA) – as seen in the graphic above.

And we ran an experimental mapping of Q1-2023 API vulnerability data against the proposed OWASP APIsec Top-10 2023RC. It’s unsurprising to see that API10:2023RC (Unsafe Consumption of APIs) overshadow all the other categories, given that it now (somewhat controversially) includes Injection vulns. See the entire break-down in the Q1-2023 API ThreatStats™ report infographic.

And watch our on-demand webinar to learn more about the proposed OWASP APIsec Top-10 2023RC and how it will impact your API vulnerability management program.

Putting Real-World API Vulnerability Data to Work for You

While the Q1-2023 API vulnerabilities continued the slow & steady growth seen throughout most of 2022, our deeper analysis reveals these key takeaways which have big implications for your API security programs.

  1. Defending your internal infrastructure from API vulnerabilities continues to be job #1 – you must protect your crown jewels. As we’ve said before, a much wider blast radius is likely if your internal APIs are exploited.
  2. Injection vulnerabilities continue to be the main attack vector for APIs – ignore them at your peril. And as we’ve said before, all the variants seen will require extra attention and remediation effort.
  3. Time-to-Exploit has shifted to the defenders’ favor – but now isn’t the time to relax. Consider the consequences if the sensitive data – including your proprietary IP or your customers’ PII – are pwned from your internal, partner and/or public-facing APIs.

Download the Q1-2023 API ThreatStats™ report infographic to get the low down on our findings, and stay tuned for the full report coming soon.