Breakdown of HackerOne 2022 Security Report: What it means for API security?
In this blog, we have analyzed 2022 security report from HackerOne for APIs.
Ankita Gupta
3 min read
It’s year end and we have some awesome 2022 API security insights for you! Hackerone last week released its security report for 2022 highlighting some amazing security industry trends. In this blog, we will share with you what this report means for API security.
APIs - The second most popular attack vector after websites
Hackers spent 45% of their time attacking APIs. What does it mean for security teams? You have 10+ attack surfaces you are trying to protect and only a few folks in your security team. How do you prioritize? The chart below by Hackerone will help you prioritize right away! APIs make the second biggest attack vector. So, if you focus your efforts on securing APIs, you will have close to 45% of your attack surface already covered.
40% attack resistance gap
According to the chart below, attack resistance gap (the gap between what organizations are able to protect and what they need to protect) for organizations in 2022 was 40% of the actual attack surface. Main factors contributing to the gap are incomplete knowledge of digital assets, insufficient testing and shortage of right skills.
What it means for organizations trying to protect APIs? 40% of your API attack surface remains unprotected because of the the following reasons:
Incomplete knowledge of APIs
Insufficient API testing
Not running enough API tests
32% of Hackers say they don’t think organizations are running enough security tests. What does it mean for organizations trying to protect APIs? To secure your APIs, it’s vital that your developers and security teams should be covering all your APIs with continuous security testing. The best and fastest way to solve this problem is by implementing an automated API security testing tool such as Akto.
Hackers specialize in recon
Hackers are experts at performing reconnaissance on attack surface. Hackers can discover and collect information about their targets faster than most. What does it mean for organizations trying to protect APIs? To secure your APIs, you want to atleast match hackers’ recon skills. You should have complete real-time information about your APIs, hidden APIs, sensitive APIs, their request and response parameters, any changes and so on. You should know what all APIs have sensitive PII information and are at risk. The most secure organizations are great at performing reconnaissance on their API attack surface. They do so by using an automated tool such as Akto, that helps them in building a real time continuous API inventory with all request, response params and prioritization of their most vulnerable APIs for testing.
Improper authorization bounties rose by 75%
Hackerone in the chart below listed top 10 vulnerabilities ranked by bounty payouts. And guess what, improper authorization bounties rose by 75% this year. Not just that, authentication and authorization related issues make 5 of the top 10 vulnerabilities in this chart ( namely, Improper Access Control, IDOR, Privilege Escalation, Improper Authentication, Improper Authorization). What does it mean for organizations trying to secure APIs? Not only is authorization the most critical vulnerability for you to prioritize but if you solve this, you will be able to solve 50% of the top 10 vulnerabilities reported by Hackerone. You can learn about one of the tests here.
What an year 2022 has been for the security world! Stay tuned for some interesting trends in API security coming up in Akto blogs.
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution