Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive.
By Tim Erlin, VP of Product at Wallarm
API security in 2025 will be a tale of two
extremes, both significantly impacted by generative AI (genAI). There's no
question that genAI will continue to grow rapidly over the next year. It is
already reshaping industries and introducing new possibilities in automation
and intelligence, and this trend will continue. Along with this expansion for
genAI comes a dramatic increase in the use of APIs. APIs are foundational to
the delivery and support of genAI applications. The likes of ChatGPT and Claude
are delivered on top of APIs that enable not only the delivery of their core
capabilities, but also support their infrastructure. In this marriage of
cutting-edge and traditional technologies, APIs serve as both the driving force
behind genAI capabilities and a potential point of weakness.
We should expect a major API breach involving
generative AI application in 2025 due to the risks of traditional API
vulnerabilities within the genAI space. Generative AI systems rely on APIs that
are vulnerable to well-known attack vectors such as injection flaws, cross-site
scripting (XSS), and remote code executions (RCE). The projected growth of
genAI applications, coupled with the high dependence on standard API
components, increases the probability of such vulnerabilities being exploited.
These types of vulnerabilities are already exploited on a daily basis, and
there's no reason to expect any different because they're supporting a genAI
application. The appeal of targeting these APIs is immense-by compromising an
API, attackers could gain access to highly sensitive data or even the
generative AI models themselves. We'd like to say that this predicted breach
will serve as a wake-up call for organizations relying on genAI to prioritize
API security, but history says that such wake-up calls rarely materialize.
In parallel, we can expect an escalation in
the sophistication and impact of cyberattacks specifically targeting APIs, also
driven by generative AI capabilities. Attackers are already beginning to
harness AI-generated exploit development, and will move on to full kill chains
that start with genAI-enabled vulnerability discovery. These advanced tools
won't merely identify flaws; they will create tailored exploits and payloads
using adaptive and innovative attack techniques. This evolution means that each
phase of an attack, from vulnerability discovery to eventual compromise, will
be automated to a level where the speed of attacks is increased and the stealth
is maximized. As a result, organizations may find it increasingly difficult to
detect and respond to these attacks in real-time, as AI-powered exploitation
introduces a new type of high-speed, high-impact attacks that skirt existing
defenses.
In conclusion, 2025 will highlight both the
transformative power and risks of integrating generative AI with API-driven
systems. On one side, genAI will enable unprecedented automation and
functionality for businesses, redefining how they interact with and leverage
data through APIs. On the other, the vulnerabilities inherent in APIs will be
exposed and potentially exploited on a larger scale. As generative AI
applications grow, so does the importance of effective API security tools to
protect these interconnected systems. Organizations must adapt to the changing
threat landscape, incorporating more proactive API security measures to keep
pace with genAI's rapid advancements and the accompanying risks. This year will
likely mark a turning point, demonstrating both the incredible potential and
the critical security challenges of an AI-powered future. Whether organizations
rise to meet that challenge is yet to be seen.
##
ABOUT THE AUTHOR
Tim Erlin has more than 20 years of
experience implementing, evangelizing, conceptualizing, and selling
cybersecurity solutions. He spent the early part of his career developing the
vulnerability management market at nCircle, growing the customer base from a
handful to thousands around the world. Tim has managed products through
multiple acquisitions, including nCircle's acquisitions of Cambia and
Clearpoint Metrics, as well as being acquired by Tripwire, Belden, and Fortra.
He is an accomplished contributor to the cybersecurity community as a speaker,
writer, podcast host, and frequently quoted source in the media. He has
expertise in multiple cybersecurity markets, including vulnerability
management, configuration assessment, compliance assessment, cloud security,
threat intelligence, attack surface management, and cyber risk quantification.