Breakdown of HackerOne 2022 Security report: What it means for API security?

It’s year end and we have some awesome 2022 API security insights for you! Hackerone last week released its security report for 2022 highlighting some amazing security industry trends. In this blog, we will share with you what this report means for API security.

APIs - The second most popular attack vector after websites

Hackers spent 45% of their time attacking APIs. What does it mean for security teams? You have 10+ attack surfaces you are trying to protect and only a few folks in your security team. How do you prioritize? The chart below by Hackerone will help you prioritize right away! APIs make the second biggest attack vector. So, if you focus your efforts on securing APIs, you will have close to 45% of your attack surface already covered.

40% attack resistance gap

According to the chart below, attack resistance gap (the gap between what organizations are able to protect and what they need to protect) for organizations in 2022 was 40% of the actual attack surface. Main factors contributing to the gap are incomplete knowledge of digital assets, insufficient testing and shortage of right skills.

What it means for organizations trying to protect APIs?  40% of your API attack surface remains unprotected because of the the following reasons:

1. Incomplete knowledge of APIs

2. Insufficient API testing

Not running enough API tests

32% of Hackers say they don’t think organizations are running enough security tests. What does it mean for organizations trying to protect APIs? To secure your APIs, it’s vital that your developers and security teams should be covering all your APIs with continuous security testing. The best and fastest way to solve this problem is by implementing an automated API security testing tool such as Akto.

Hackers specialize in recon

Hackers are experts at performing reconnaissance on attack surface. Hackers can discover and collect information about their targets faster than most. What does it mean for organizations trying to protect APIs? To secure your APIs, you want to atleast match hackers’ recon skills. You should have complete real-time information about your APIs, hidden APIs, sensitive APIs, their request and response parameters, any changes and so on. You should know what all APIs have sensitive PII information and are at risk. The most secure organizations are great at performing reconnaissance on their API attack surface. They do so by using an automated tool such as Akto, that helps them in building a real time continuous API inventory with all request, response params and prioritization of their most vulnerable APIs for testing.

Improper authorization bounties rose by 75%

Hackerone in the chart below listed top 10 vulnerabilities ranked by bounty payouts. And guess what, improper authorization bounties rose by 75% this year. Not just that, authentication and authorization related issues make 5 of the top 10 vulnerabilities in this chart ( namely, Improper Access Control, IDOR, Privilege Escalation, Improper Authentication, Improper Authorization). What does it mean for organizations trying to secure APIs? Not only is authorization the most critical vulnerability for you to prioritize but if you solve this, you will be able to solve 50% of the top 10 vulnerabilities reported by Hackerone. You can learn about one of the tests here.

What an year 2022 has been for the security world! Stay tuned for some interesting trends in API security coming up in Akto blogs.