When it comes to smart buildings, the “back end” of the operation, or inner workings, runs on something called an application program interface, or API. These are the connections that make many of the integrations between different systems work. According to AWS, “APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.” In a security system that translates to the reason your smart systems work seamlessly.

That is why a couple of recent studies are so concerning. 

A recent report by Traceable AI found that within the past two years, 60% of organizations faced at least one API-related breach. Three quarters of those experienced three or more incidents, and nearly one quarter of those suffering six or more breaches.

According to the report, just 38% can discern intricate context between API activity, user behaviors and data flow, and 57% don’t believe traditional security solutions such as web application firewalls are effective at distinguishing genuine from fraudulent API activity.

Sixty-one percent of respondents expect API-related risks to rise in the next two years.

Another survey from Akamai Technologies Inc. looked at what application security professionals consider the top security risks related to APIs and found that less than half of respondent companies have API security testing tools in place. Only 29% have API discover tools.

Survey participants ranked phishing (38.3%) and missing patches (24%) as the top two API security concerns. These were followed by exploitation of vulnerable applications/APIs (12%) and accidental disclosure of sensitive information (9.1%).

Other key highlights in the report include:

  • 62% of respondents are using web application firewalls as part of API risk mitigation.
  • 57% of respondents reported API inventory accuracy of between 25% and 75%.
  • Most respondents cited the OWASP (Open Web Application Security Project) Application Security and API Top Ten lists, and the MITRE ATT&CK Framework as the basis for defining application and API risk.
  • 76% of survey takers reported training development staff on application security.

These efforts are critical and will need to be increased in order to keep up with the number of potential attacks. The more integration and “smart” devices you have, the more APIs involved and the bigger the attack vector. 

According to the Traceable AI report, one of the primary breach methods when it comes to APIs is DDoS, or distributed denial of service attacks.

DDoS attacks were analyzed by a recent report by Zayo Group Holdings, which found that there was a whopping 314% increase in overall attacks from the first half of 2022 to the first half of 2023. One of the sectors that saw the biggest increases in these types of attacks was cloud and software-as-a-service companies, for example.