OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.
We recently published The API Security Disconnect: API Security Trends in 2022, which reveals some striking disconnects between the respondents' experiences with API security incidents, their lack of awareness of their own APIs, and their confidence in cloud service providers and others to provide API security.
The findings are more relevant today than ever given how APIs form the foundation of digital transformation. APIs enable critical connections between applications, platforms, and services. However, APIs also represent a significant and growing attack surface that is increasingly being exploited by cybercriminals. As the report suggests, APIs are vulnerable, and not enough is being done to protect them —a long with the potentially sensitive data they distribute.
Key Findings
The research showed that API security incidents are commonplace. Seventy-six percent of survey respondents experienced an API security incident in the previous 12 months. And these are incidents that they are aware of — the actual number is likely higher. The most common API security gaps identified in the survey were dormant or zombie APIs (19%), followed by authorization vulnerabilities (18%), and issues with Web Application Firewalls (17%).
Another alarming finding from the survey was that security managers lack visibility into their API inventories. Almost three in four survey respondents neither maintain a full API inventory nor know which of their APIs return sensitive data. Most are relying on network infrastructure providers, which honestly don't provide the required level of visibility for APIs. Just 47% of respondents who use such providers say they have visibility into their active APIs. Only 26% of respondents who use network infrastructure providers say they have visibility into zombie APIs, while 59% said the provider offered visibility into dormant APIs. This lack of awareness translates into API security risk because an invisible API is one that can be compromised without anyone being aware of the problem until it is too late to remediate.
The survey also uncovered that API security testing is not always timely. This is surprising given the prevalence of API security incidents and the high speed at which an API exploit can execute. Just 11% of respondents test APIs in real time.
22% of respondents said they only test APIs a minimum of once a week, while 28% test once a day and 39% are testing less than once a day but up to once per week.
71% of respondents say they are confident in the API security provided by their cloud service provider (CSP). This is startling considering 76% of respondents lack a full API inventory, and 74% experienced an API security incident in the last 12 months. This confidence would appear to be misplaced when viewed in the context of their actual API security experiences.
Further to this point, 67% of respondents expressed high levels of confidence in their traditional dynamic application security testing (DAST) and static application security testing (SAST) tools to test for API security vulnerabilities — something these tools do not adequately do.
UK vs. USA Results
CISOs and senior cybersecurity professionals in the US had somewhat different practices and perceptions of API security than their counterparts in the UK. In the case of real-time API security testing, the difference was pronounced: 14% of UK respondents reported testing in real time versus just 8% of those in the US.
Overall confidence in CSPs ability to handle API security also showed a discrepancy between outlooks in the US and UK. In the US, 80% of respondents were confident in their CSPs. In contrast, 61% of UK respondents had such confidence.
Vertical Market Overview
Results varied by industry, as well. As noted above, the survey covered six verticals: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities. Manufacturing reported the highest number of API security incidents (79%), followed by energy and utilities (78%).
Top API security vulnerability by vertical market:
■ Retail and eCommerce: Dormant or zombie APIs (22%)
■ Manufacturing: Dormant or zombie APIs (21%)
■ Healthcare: Authorization vulnerabilities (23%)
■ Financial services: Authorization vulnerabilities (21%)
■ Energy and utilities: Distributed denial of service (DDoS) attacks (21%)
■ Government and public sector: Web Application Firewall (WAF) compromise (20%)
Role type and comparisons
Survey respondents' views varied by role. CIOs seemed to have the best visibility into API inventories and which APIs returned sensitive data. Thirty-two percent of CIOs reported having this ability. In contrast, and perhaps a bit surprisingly, application security (AppSec) team members had the lowest levels of visibility, with 44% saying they had only a partial understanding of their API inventories and which APIs returned sensitive data.
C-level executives had the opposite experience when it came to API security incidents. Eighty-one percent of CISOs said they had experienced an incident in the last 12 months, while just 53% of AppSec team members reported one. These findings suggest that there may be a disconnect between senior leadership and operational teams.
Conclusion
Though we encourage you to read the full report on your own and come to your own conclusions, there is a key revelation in this report. That is that cybersecurity professionals are not fully grasping the seriousness of the risks they face from their APIs. While they admit they are experiencing API security incidents, they simultaneously share that they lack the kind of comprehensive awareness of their APIs that would help mitigate API security risks. They also place confidence in non-API-specific software testing tools, cloud platforms and network operators to protect their APIs, a confidence that is not warranted.
As APIs come under ever more serious attacks, the time seems to have come for these disconnects in API security to be addressed. The risks of inaction and misplaced confidence are too high to ignore.
Methodology: The API Security Disconnect: API Security Trends in 2022 is based on a survey conducted by Opinion Matters, an independent research organization, of 600 respondents from six vertical markets in the US and UK. Surveyed industries include financial services, manufacturing, healthcare, energy & utilities, government & public sector, as well as retail & eCommerce.
Industry News
Oracle announced the availability of Java 20, the latest version of the programming language and development platform.
Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.
To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.
Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.
Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.
Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.
CAST AI has announced the closing of a $20M investment round.
Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.
OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.
DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.
CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.
Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.
Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.
Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.