Q3-2022 API ThreatStats™️ full report
In this third quarterly report, the team found 203 API-related vulnerabilities out of a total of 100,093 records examined. Despite the apparent leveling-off, our assessment of the data suggests three key findings which will have significant implications on your API security effort. We will examine these and other findings in this paper.
Initial analysis of this quarter's data show API vulnerabilities leveling off the number of API vulnerabilities and impacted vendors – metrics that saw huge jumps in the past – were basically unchanged during Q3, along with a virtually unchanged CVSS scores (both average and % in the critical or high range). However, upon further investigation we unearthed these key findings:
- Injections. While the OWASP Top-10 Injection categories ( for web apps and for APIs) top the charts at over 33% of all CVEs analyzed, further inspection reveals many, many variations that undoubtedly will require extra effort to remediate.
- Infrastructure. A vast majority of the most impactful vulnerabilities analyzed in Q3 impacted development tools and infrastructure – which clearly shifts your security focus.
- Exploits. A surprising finding was that the average gap between CVE and exploit POC publication was zero days! This will greatly impact your mitigation timeline.
All these findings will have significant implications on your organization's API security program.