Botnet attacks on APIs: Why most companies are unprepared

The use of botnets to target applications for illegal and unethical purposes is growing, yet implementation of bot detection tools and best practices lags.

CSO  >  Botnet  >  Robots amid a blue binary matrix
Tampatra / Bannosuke / Getty Images

As companies move applications to the cloud and expose functionality via application programming interfaces (APIs), criminals have been moving quickly to take advantage of this newly exposed attack surface. By using botnets, they can dramatically increase the reach and effectiveness of their attacks. As with many new technologies, security is lagging behind.

The problem is that companies must be strategic about where they spend their security money, says John Carey, managing director in the technology practice at AArete, a management consulting firm. Investments in anti-bot technology are usually invisible to customers. "Tools and skills are in demand and increasingly expensive," he says. "Similarly, the threat landscape is expanding, as it's a lucrative crime area."

Botnet attacks on APIs a growing problem

According to a report by security firm Radware and Osterman Research released earlier this year, 98% of organizations saw attacks against their applications in 2020, and 82% reported attacks by bots. The most common types of bot attacks are denial of service (DoS), experienced by 86% of companies, web scraping, seen by 84%, and account takeover, reported by 75%.

API security was a "top priority" for 55% of organizations surveyed, and 59% said they want to "invest heavily" in it during 2021. Only a quarter of companies said they used bot management tools. Over the next year, 59% of organizations said they planned to invest heavily in API protection and 51% planned to invest in web application firewalls, but only 32% said they planned to invest in bot management tools. In addition, only 52% of companies fully integrated security into continuous delivery of APIs, compared to 63% for web applications.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.