By Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai Technologies

As more economies around the world become digitalised, the adoption rate in Application Programming Interface (API) has also skyrocketed. According to Market Data Forecast, the size of the global API market is anticipated to grow 34.7% from 2024 to 2029.  Unfortunately, so too has business logic abuse, a rapidly growing cyberattack tactic directed at web and mobile apps and their APIs.

Business logic abuse occurs when cyber criminals use automated methods to exploit and manipulate the intended purpose of an API for malicious intentions, such as the extraction of sensitive data or interrupting a mission-critical application.

According to recent research, Australia is the most targeted country in the Asia Pacific and Japan region for web application and API attacks. Since these attacks often abuse legitimate access to exploit APIs, they can be very challenging to detect and prevent.

Cyber criminals take advantage of the intended functionality of an API and use it in unintended ways, usually beyond what the API was designed to do in the first place. As a vast majority of internet traffic today comprises API traffic, both commercial and critical infrastructure applications are more exposed than ever to such abuses than before.

Why business logic abuse has surged

The exponential increase and reliance on APIs across industries has driven up the number of potential targets, leading to an increase in attacks. Improved security across traditional web applications has also meant that cyber criminals now see new opportunities in targeting APIs instead. Furthermore, because API developers tend to work on rushed timelines, there will inevitably be oversights when it comes to thoroughly testing the APIs for flaws in business logic, something that the bad actors are counting on to take advantage of.

For example, cyber criminals can perform “carding attacks” where they harvest stolen credit card numbers through phishing attacks or other means, abuse a bank’s APIs for card validation, then resell those numbers to criminals to commit financial fraud. Even though the API itself isn’t technically attacked, it can be abused as an accessory to commit fraud against customers.

Industries impacted by business logic abuse

In Australia, APIs have been being successfully compromised in highly publicised attacks over the past 18 months, impacting thousands of consumers and citizens.

Amidst these gaps, organisations heavily dependent on APIs to power their business are at the greatest risk, particularly finance, commerce and healthcare. Not only are they huge adopters of APIs, they also have the most valuable data that is highly coveted by cybercriminals, as well as very complex business workflows due to the nature of their industries.

Alarmingly, such cases are now being detected in other industries too. Within retail, as digital commerce becomes more commonplace, attackers are looking for ways to gain access to customer loyalty points or account balances,  then target them through phishing attacks to steal this data and use it for their own gain. All this is being committed with no visible break-in or data breach, making it hard to detect or perform cyber forensics.

Conventional security tools may not be as effective against business logic abuse as these require very specialised tools for threat detection and mitigation. However, there are ways for organisations to proactively secure their APIs.

Protecting your organisation

The first is for the DevOps team to be trained to use more secure coding practices in the API design and development phase – vulnerabilities are introduced into APIs from the start, so it is critical for these teams to be trained to adopt security best practices. Utilising specialised API security testing tools is critical at this stage to minimise vulnerabilities and misconfigurations.

Secondly, as conventional security tools are unlikely to detect and stop API abuses, organisations should consider implementing API security-specific platforms that can test for gaps as well as continuously probe the security posture of the APIs, detect runtime abusers and mitigate those as they happen.

Lastly, organisations should include the guidelines provided by the OWASP Top 10 API Security Risks, which is the industry’s best practice in securing APIs, into their overall application security strategy. For organisations struggling with where to begin as they build their API protection programs, this can be a good starting point as this list addresses the world’s top 10 most common vulnerabilities in APIs that are being exploited actively today.

It is crucial for organisations to understand that APIs used to power their business processes are now actively under attack. It should also serve as a wake-up call to the industry that due to insecure API development, lack of specialised API security tools and sophisticated threats like business logic abuse, APIs have metaphorically become the Achilles heel in their application security strategy.

While there are a slew of regulations that have APIs as part of mandated compliance, the first step should begin with implementing visibility and security controls to deal with the volume, speed and complexity of the API environment. Organisations in Australia must continue to be vigilant, look at their entire security posture, examine ways to minimise the attack surface and adopt API security best practices, as this will be critical to ensuring business continuity and keeping sensitive data safe from ever-evolving API specific threats.