95% of API Breaches are Caused By This – Yet Few Test for It

Nordic APIs wrote a great article, with input from industry experts, about the security threats to watch for in 2020. In the story, they mention the usual suspects such as stealing credentials and mass overload (i.e., DDoS) attacks. It’s a great read, and the seriousness of those threats cannot be understated. What is understated, however, is the much larger threat that we all ignore: The vast majority of security failures are caused by human error.

“Through 2022, at least 95% of cloud security failures will be the customer’s fault.”

Jay Heiser, VP at Gartner

This rarely acknowledged vulnerability is of particular interest to us. We have previously written about human error breaches at the USPS and in India. Most of these errors could have been caught with a proper API testing methodology. In SmartBear’s 2019 State of APIs report, they found that roughly 50% of organizations of all sizes don’t have a standardized API testing methodology. From our own experiences, we believe it’s even lower than that.

Why is this? What causes this fear of the smaller threat, and indifference toward the much more prevalent threat of human error? It might be the fact that the story of a hacker breaking in is more interesting, and therefore reported on more often. If true, there is an echo chamber in the media that allows people to focus on the micro and not the macro. In the US, the #1 cause of death is heart disease, yet the nightly news rarely has a segment on it. It’s okay to be more interested in sensationalism: it can be more intriguing. But we’re not talking about how to spend our free time. APIs are our jobs, and protecting the information those APIs have access to is paramount.

In Akamai’s State of the Internet report they found that 83% of all web traffic in 2018 was by API. This number isn’t getting smaller, and it’s important to remember the power these APIs have. Now with PSD2 and Open Banking, European financial institutions have publicly available APIs with all our banking information. Are you convinced they are doing everything possible to not fall victim to human error?

It is human to make mistakes. It will always be so. But it shouldn’t be used as a reason to just shrug, but rather it should serve as a rallying cry. If human error was something more sensational like a giant killer moth attacking a city, then every major city would instantly build moth fighting capabilities with varying levels of success. The difference is they felt obligated to try. We need to treat human error like Mothra, and not just accept our fate but fight back.

One data breach can lead to thousands of lives affected, and jobs lost, all because of a simple human error. Banks, financial services, healthcare, and other enterprises must do more to correct human error. Start by setting up comprehensive automated regression tests and schedule functional uptime monitors. Do what it takes to become an organization that takes the 95% probability more seriously, and isn’t entirely distracted by the 5%.