Application programming interfaces (APIs) play a crucial role in the operation of digital platforms, however, they have also become one of the most exploited attack focuses by cybercriminals, according to the report State of API and Application Security 2025: How Artificial Intelligence Transforms the Digital Landscape, disseminated by Akamai.
The paper notes that APIs enable communication between systems for real-time data exchange. "For example, when we access our bank's application to pay taxes, that transaction crosses information with APIs from the tax service, civil registry, banks and other systems. Everything happens in seconds and invisibly to the user, but each of these APIs can be vulnerable if it is not protected," explained Jairo Parra, Akamai's cybersecurity specialist for Latin America.
According to the report, organizations in Latin America face growing threats. The most vulnerable industries include digital commerce, payment processors, banks, insurers, fintechs, and cryptocurrency platforms. Akamai recorded more than 311 billion attacks against APIs and web applications globally by 2024, an increase of 33% from the previous year.
The economic consequences are also evident in the study. It is estimated that security problems in APIs generate annual losses of about 87 billion dollars, a figure that could exceed 100 billion by 2026 if adequate measures are not adopted. Likewise, incidents associated with the top 10 risks detected by OWASP increased by 32%.
Another crucial flaw identified by Akamai is the lack of visibility. Despite the fact that 47% of security teams claim to have a full inventory of their APIs, many are unaware of which APIs handle private information. In a test scenario, Akamai's research team managed to change the price of a product to zero pesos on an e-commerce platform through a flaw in its API, without either the system or the team identifying the irregularity.
Parra indicated that "companies do not measure the number of APIs they use or the risks they face by not managing them properly."
The report also exposes the limitations of traditional security solutions, which make it difficult for organizations to:
Know how many APIs are active.
Identify abuse or unusual behavior.
Detect security bugs during the development process.
Identify APIs that handle sensitive data without proper control.
The report adds that these solutions are not designed to meet standards such as the OWASP Top 10, which records common vulnerabilities such as data exposure, authentication failures, and configuration errors.
"Does your company know how many APIs it uses, which ones communicate with third-party applications, if those institutions are regulated and if the information they traffic complies with security standards?" asked Parra.
To address these risks, Akamai recommends adopting technologies that offer end-to-end API visibility, real-time anomaly monitoring, access control, and compliance, as well as implementing practices aligned with OWASP guidelines.
"APIs are the backbone of digital business, but also its Achilles' heel if they are not managed with proper security," Parra concluded.
