API Security: The Overlooked Threat Now Overshadowing Cloud Misconfigurations

Those who know the cofounders of FireTail know that we came to look at API security through our work in the cloud security domain. As organizations get deeper into the cloud, they realize that getting the maximum benefit from the cloud depends on their ability to make applications work with the autoscaling and cloud-native services that allow for flexibility and experimentation. This inevitably leads to a more modular, microservice-oriented architecture with a huge proliferation of APIs. All sensitive data and critical business functions pass over APIs in this paradigm. That’s where API risk gets introduced. 

But one additional question that’s been on our mind lately is this: 

“Which is a bigger threat today - cloud misconfigurations or API vulnerabilities?”

Imagine building a fortress. You check the reinforced doors to make sure they’re locked, and you build walls to protect your most valuable assets. That’s cloud security. Now, imagine a service entrance —small, unlocked, often overlooked but essential for daily operations. No matter how safe the primary structure is, this service entrance grows into a critical vulnerability. That’s what it’s like with APIs. As organizations harden their cloud defenses, attackers are rapidly shifting to APIs, exploiting this newer, often overlooked vulnerability.

For companies focused on safeguarding sensitive data, this shift has enormous implications. At FireTail, we’ve analyzed the data, and the results are interesting: while cloud misconfigurations remain a concern, API vulnerabilities have almost certainly become a much larger and more urgent threat. This post explores why APIs now represent a prime target for attackers, why they pose more substantial risks than cloud misconfigurations, and what businesses should do about it.

The Evolution of Cloud Security: Why APIs Are Now the Prime Target

Those of us who started in cloud security have witnessed a swift transformation in the industry. For years, cloud misconfigurations—missteps like exposing storage buckets or failing to properly restrict access—were at the forefront of security concerns. But with advances in cloud provider tooling, more secure defaults, and widespread adoption of CSPM solutions, the nature of cloud vulnerabilities has changed. Misconfigurations remain an issue, but they’re now better controlled, and cloud providers have implemented more protective measures like secure defaults.

Additionally, threat actors have improved their skills in understanding TTPs like lateral movement, exploitation of IAM techniques and more in attacking cloud environments. This has highlighted the need for cloud security solutions to evolve from CSPM to more sophisticated CNAPP solutions that illustrate attack paths and the correlation between cloud resources to understand cloud risk better.

Meanwhile, APIs have emerged as the new frontier. According to our analysis, breaches involving APIs have skyrocketed over the past three years, surpassing cloud security incidents in both frequency and complexity. APIs are integral to cloud-based applications, acting as bridges between systems, services, and data stores. But as they proliferate, so do the risks, and attackers are taking notice, yet most CNAPPs still don’t have native API security coverage

Comparing the Numbers: A Data-Driven Look at API vs. Cloud Breaches

In recent years, we’ve summarized API data breaches on our API data breach tracker. And we’ve now added a second tab that includes data from sources like Wiz’s Cloud Threat Landscape and Public Cloud Security Breaches. With that data tabulated, we’ve created this comparison chart:

Notes:

• We used the “Mode” function for the organization type, industry and impact
• We used the same “Mode” function for the top breach vector, so note that this is analyzed by the number of events. However, in the case of API data breaches, this holds true for the number of records breached.
• All data is based on the sources cited and may be incomplete, particularly with regards to cloud breaches.
• We narrowed the scope down to the last 3 years, because before 2021, the data is sparse. The cloud security sources we use don’t have too much before that date and weren’t really created before then.
• We don’t see the acceleration on the cloud side like we do on the API side.

‍

Breach events by year: Cloud vs API

Our data at FireTail seems to highlight the trend clearly. In the last three years, there have been 79 documented API breaches, compared to just 22 cloud-related breaches in the same period. These figures represent more than just numbers—they point to an evolving landscape in which API vulnerabilities are becoming a focal point for attackers.

When we look at the most common impact of these breaches—data exfiltration—the risks become even clearer. APIs, by design, are gateways to critical data, often lacking uniform security standards and managed in decentralized ways. A single vulnerability in an API can expose large volumes of data, creating potential for widespread damage. By contrast, a cloud misconfiguration might expose an isolated bucket or environment but doesn’t carry the same risk of cascading failures that can result from an exploited API.

Anatomy of an API Breach: Why It’s Worse than a Cloud Misconfiguration

APIs pose unique challenges for security, primarily due to their complexity and interconnectivity. Where cloud misconfigurations are typically limited in scope, API vulnerabilities can lead to far-reaching access that spans systems and data types. Here are three key reasons why an API breach can have a more severe impact than a cloud misconfiguration:

1. Simple Breach Vectors: some text
   1. Inconsistent authentication practices across API endpoints often leave gaps that attackers can exploit.
   2. APIs have highly specific vulnerabilities that make them attractive to attackers. Authorization issues, such as broken object-level authorization, can lead to unauthorized access.
   3. Common development and infrastructure practices, like using sequential integer numbering as the identifier for a database row (usually just relying on the database to populate and incrementally count), make it easy for attackers to guess at record ID and write scripts to loop over an entire dataset. 
2. Greater Impact Scope: While a cloud misconfiguration might compromise a single resource, an API vulnerability can expose entire datasets. APIs act as entry points for data, meaning that one compromised API could lead to access across multiple services or systems

The Real Risks in API Security: Trends and Emerging Threats

Our research shows that new types of threats, like credential stuffing and authorization exploits, are increasingly being directed at APIs. While credential stuffing has traditionally been associated with application endpoints, attackers are now using it to break into APIs.

As companies increasingly rely on APIs to connect with partners, customers, and other internal services, the API attack surface continues to grow. Each new API represents a potential entry point, and the rapid pace of API deployment often means that security is neglected in favor of faster development. This trend underscores a critical takeaway: traditional cloud security measures are not enough on their own to safeguard against API-specific threats.

The Bottom Line: Shifting Security Priorities in 2024 and Beyond

In today’s cloud-first world, companies must recognize that effective security goes beyond protecting the infrastructure itself. APIs are now a front-line defense requiring specific focus, tools, and proactive monitoring. Organizations need to rethink their approach to security, treating APIs as critical assets that require continuous investment and vigilance.

Moving forward, a few key actions can help strengthen API defenses:

• Combine cloud and API security: As we’ve discussed here, APIs represent a critical entry point to accessing data. Combine cloud and API attack paths to get full understanding of the risk to your data.
• Invest in API-focused security tools that provide real-time visibility, API design analysis and testing, and monitoring across all API endpoints.
• Implement strict access control policies and regularly audit API permissions to minimize unnecessary exposure.
• Prioritize secure API design practices, ensuring authorization is correctly enforced at every level.

API security is no longer an afterthought; it’s the new battleground in the fight to protect data, particularly in an age of AI where APIs are even more important and easier than ever to exploit. By refocusing priorities and implementing these strategies, organizations can better position themselves to meet the challenges of 2024 and beyond.