AI is a catalyst for new vulnerabilities: experts point to APIs


AI spending was expected to surge even before DeepSeek came into the picture. And while market analysts like S&P Global have warned about the potential AI winter if “the current level of enthusiasm proves to be oversold,” much can change if DeepSeek’s tech proves to be as good and cheap as they claim.

ADVERTISEMENT

From a security perspective, fast AI adoption is worrisome. And let’s leave DeepSeek aside for now. Any rushed adoption of AI in businesses, especially when it requires integration with your business systems, adds another layer of security risk.

Security firm Wallarm tracked 439 AI-related CVEs (common vulnerability and exposure). Firstly, the number signifies a staggering increase in AI-related flaws from a year before. But what is even more important is that 99% of these vulnerabilities were directly tied to APIs (application programming interfaces) used by companies to integrate those AI applications into their existing systems.

Many (57% if you want an exact number) of the AI-powered APIs were also externally accessible. Only a handful of APIs were properly secured.

“Organizations cannot afford not to secure their APIs. Failure to do so means they are exposing themselves to grave risks that can result in costly technical vulnerabilities and reputational and operational crises,” Ivan Novikov, CEO and co-founder of Wallarm is quoted in the press release.

The danger is not theoretical. While in 2023 API-related breaches were sparse, the situation changed dramatically last year. As per Wallarm, on average, there were three API-related breaches every month. Some months, the number would climb to five or seven breaches.

“The rise of API-driven systems in sectors like healthcare, transportation, technology, and financial services has led to a surge in vulnerabilities, placing APIs squarely at the center of the cybersecurity landscape,” the report reads.

AI CVEs

Here are the 10 Top 5 API breaches of 2024 as listed by Wallarm:

ADVERTISEMENT
  • Dell - 49 million users affected
  • Twilio - 33.4 million users affected
  • Internet Archive - 31 million users affected
  • Trello - 15 million users affected
  • Optus - 9.5 million users affected
Top 5 API breaches

How much do companies spend on AI?

As per S&P Technology Industry Credit Outlook 2025, AI spending is indeed robust today. However, experts warn AI investment might be volatile in the long term as “AI-related revenue growth fails to meet expectations.”

AI spending is expected to surge to $630 billion by 2028, with Financial services, software and information services, and retail accounting for 45% of anticipated investment in AI.

ADVERTISEMENT

“Fast-growing use cases include claims processing, digital commerce, sales planning, smart factory floor, and product design,” the report noted.

Tech leaders’ comments also boost robust investment. For example, Google’s CEO Sundar Pichai said that the risk of underinvesting is greater than that of overinvesting.

“The clearest beneficiaries of AI investment spending at this point are the semiconductor makers,” the report said, singling out Nvidia and Taiwan Semiconductor Manufacturing Corp (TSMC).

Software companies, however, are the furthest behind in monetization as they are still experimenting with revenue models, either charging subscription fees for AI models or infusing AI into existing products.

jurgita Konstancija Gasaityte profile Ernestas Naprys Gintaras Radauskas
Follow Cybernews for more exclusive coverage

Companies are poised to spend over $230 billion in 2024 on AI, with the big tech companies being the biggest drivers of it.

However, S&P experts also talk about the potential for an “AI winter if the current level of enthusiasm proves to be oversold.”

Note that this report came out before the DeepSeek ruffle caused a storm in stock markets. How is the outlook going to change now that DeepSeek is in the picture? Security experts are already worried, too.

“One of the biggest headaches for LLM providers is if someone manages to extract what is called the system prompt. If that exists in DeepSeek, which it likely does, this is the set of initial kick-off instructions that may have details of what to do, what not to do, and other links to other applications and could reveal more about the designers' intention. Of course, they would never say that in a public statement because it would give people the motivation to do it, but they will be monitoring their incoming prompts and activity over the API; and no doubt people are trying that,” Stuart Millar, principal AI engineer at Rapid7, said.

This is just a sneak peek into our upcoming coverage on the matter. Follow Cybernews for more.

ADVERTISEMENT