The latest quarterly review and analysis of API vulnerabilities and exploits is in. Our initial take had us thinking it was smooth sailing for the state of API vulnerabilities in Q3—or was it just a lull in the storm?
As it turns out, it’s neither.
Read on to learn more about Wallarm’s analysis of API vulnerabilities in Q3-2022—and be sure to attend our upcoming webinar on Thursday, November 10 at 11 AM PT where we’ll present all our findings. Register Now to reserve your seat!
At first blush, this quarter’s data appear to be a story about API vulnerabilities leveling off: the number of API vulnerabilities and impacted vendors – metrics that saw huge jumps in the Q2 API Vulnerability Report – were basically unchanged during Q3. This combined with virtually unchanged CVSS scores (both average and % in the critical or high range) had Q3 looking like a nothingburger.
But digging deeper into the data revealed that these still waters run deep.
- Infrastructure. A vast majority of the most impactful vulnerabilities analyzed in Q3 impacted DevOps tools and infrastructure – which clearly shifts your security focus.
- Injections. While the OWASP Top-10 Injection categories (A03:2021 for web apps and API8:2019 for APIs) top the charts at over 33% of all CVEs analyzed, further inspection reveals many, many variations that undoubtedly will require extra effort to remediate.
- Exploits. A surprising finding was that the average gap between CVE and exploit POC publication was zero days! This will greatly impact your mitigation timeline.
All these findings will have significant implications on your organization’s API security program.
As per usual, we analyzed the data to look for trends and insights from a variety of perspectives, including software type, vendor, CVSS scores, CWEs and both OWASP Top-10 (2021) for web apps and OWASP API Security Top-10 (2019). We also dug deeply into publicly disclosed exploit PoCs to extract payloads and validate if any threats have moved from a theoretical to an actual risk.
So how did we reach these conclusions? Here’s a brief look at the analysis path:
- API risks remain high, both in terms of total CVEs and CVSS scores. As we drilled into this, we determined that nearly all of the 2022 CWE Top 25 Most Dangerous Software Weaknesses list from MITRE / CISA are included, and that injections are the top threat vector. Another double-click and we discover that these injection weaknesses cover a large number of CWEs – each of which will require different root-cause analysis and remediation.
- The composition of vulnerable products was more fully investigated. In our research, we quickly found that the products impacted are about 2/3 Open Source vs. 1/3 commercial and that vulnerabilities follow the same pattern. An even closer look reveals that a critical number of products impacted involve development infrastructure – which if breached might have a very large blast radius.
- Finally, we looked at published exploit POCs and found the number had dropped significantly from 61 to 30 (or 33% and 15%of all CVEs analyzed, respectively). However, looking more closely we learned that over 50% of these exploit POCs had been published on or before the CVE release date, resulting in an average time-to-exploit of zero (0) days – ouch!
For more highlights from the final report, look at our Q3-2022 API ThreatStats™ Report infographic. We hope you find it interesting and useful, and that it helps you improve your API vulnerability management and security posture.
To learn more, we invite you to attend our upcoming webinar on Thursday, November 10th. In this live-stream event, Ivan Novikov, CEO & co-founder of Wallarm and noted security researcher, will take a deep look at the Q3 API vulnerability and exploit data, and discuss the implications to your organizational risk and your cyberdefenses. And of course, he’ll be answering your questions along the way!