Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat:
Authentication does not prevent attack!
Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated.
A vast majority (78%) of attacks were authenticated!
If what’s behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up.
Consider:
- Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers)
- Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack
- A billion cracked passwords readily available
#threatmodeling must account for authenticated, likely authorized attackers
(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)