Understanding the API Security Disconnect
October 31, 2022

Shay Levi
Noname Security

We recently published The API Security Disconnect: API Security Trends in 2022, which reveals some striking disconnects between the respondents' experiences with API security incidents, their lack of awareness of their own APIs, and their confidence in cloud service providers and others to provide API security.

The findings are more relevant today than ever given how APIs form the foundation of digital transformation. APIs enable critical connections between applications, platforms, and services. However, APIs also represent a significant and growing attack surface that is increasingly being exploited by cybercriminals. As the report suggests, APIs are vulnerable, and not enough is being done to protect them —a long with the potentially sensitive data they distribute.

Key Findings

The research showed that API security incidents are commonplace. Seventy-six percent of survey respondents experienced an API security incident in the previous 12 months. And these are incidents that they are aware of — the actual number is likely higher. The most common API security gaps identified in the survey were dormant or zombie APIs (19%), followed by authorization vulnerabilities (18%), and issues with Web Application Firewalls (17%).

Another alarming finding from the survey was that security managers lack visibility into their API inventories. Almost three in four survey respondents neither maintain a full API inventory nor know which of their APIs return sensitive data. Most are relying on network infrastructure providers, which honestly don't provide the required level of visibility for APIs. Just 47% of respondents who use such providers say they have visibility into their active APIs. Only 26% of respondents who use network infrastructure providers say they have visibility into zombie APIs, while 59% said the provider offered visibility into dormant APIs. This lack of awareness translates into API security risk because an invisible API is one that can be compromised without anyone being aware of the problem until it is too late to remediate.

The survey also uncovered that API security testing is not always timely. This is surprising given the prevalence of API security incidents and the high speed at which an API exploit can execute. Just 11% of respondents test APIs in real time.

22% of respondents said they only test APIs a minimum of once a week, while 28% test once a day and 39% are testing less than once a day but up to once per week.

71% of respondents say they are confident in the API security provided by their cloud service provider (CSP). This is startling considering 76% of respondents lack a full API inventory, and 74% experienced an API security incident in the last 12 months. This confidence would appear to be misplaced when viewed in the context of their actual API security experiences.

Further to this point, 67% of respondents expressed high levels of confidence in their traditional dynamic application security testing (DAST) and static application security testing (SAST) tools to test for API security vulnerabilities — something these tools do not adequately do.

UK vs. USA Results

CISOs and senior cybersecurity professionals in the US had somewhat different practices and perceptions of API security than their counterparts in the UK. In the case of real-time API security testing, the difference was pronounced: 14% of UK respondents reported testing in real time versus just 8% of those in the US.

Overall confidence in CSPs ability to handle API security also showed a discrepancy between outlooks in the US and UK. In the US, 80% of respondents were confident in their CSPs. In contrast, 61% of UK respondents had such confidence.

Vertical Market Overview

Results varied by industry, as well. As noted above, the survey covered six verticals: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities. Manufacturing reported the highest number of API security incidents (79%), followed by energy and utilities (78%).

Top API security vulnerability by vertical market:

■ Retail and eCommerce: Dormant or zombie APIs (22%)

■ Manufacturing: Dormant or zombie APIs (21%)

■ Healthcare: Authorization vulnerabilities (23%)

■ Financial services: Authorization vulnerabilities (21%)

■ Energy and utilities: Distributed denial of service (DDoS) attacks (21%)

■ Government and public sector: Web Application Firewall (WAF) compromise (20%)

Role type and comparisons

Survey respondents' views varied by role. CIOs seemed to have the best visibility into API inventories and which APIs returned sensitive data. Thirty-two percent of CIOs reported having this ability. In contrast, and perhaps a bit surprisingly, application security (AppSec) team members had the lowest levels of visibility, with 44% saying they had only a partial understanding of their API inventories and which APIs returned sensitive data.

C-level executives had the opposite experience when it came to API security incidents. Eighty-one percent of CISOs said they had experienced an incident in the last 12 months, while just 53% of AppSec team members reported one. These findings suggest that there may be a disconnect between senior leadership and operational teams.

Conclusion

Though we encourage you to read the full report on your own and come to your own conclusions, there is a key revelation in this report. That is that cybersecurity professionals are not fully grasping the seriousness of the risks they face from their APIs. While they admit they are experiencing API security incidents, they simultaneously share that they lack the kind of comprehensive awareness of their APIs that would help mitigate API security risks. They also place confidence in non-API-specific software testing tools, cloud platforms and network operators to protect their APIs, a confidence that is not warranted.

As APIs come under ever more serious attacks, the time seems to have come for these disconnects in API security to be addressed. The risks of inaction and misplaced confidence are too high to ignore.

Methodology: The API Security Disconnect: API Security Trends in 2022 is based on a survey conducted by Opinion Matters, an independent research organization, of 600 respondents from six vertical markets in the US and UK. Surveyed industries include financial services, manufacturing, healthcare, energy & utilities, government & public sector, as well as retail & eCommerce.

Shay Levi is CTO and Co-Founder of Noname Security
Share this

Industry News

November 22, 2022

Red Hat introduced Red Hat Enterprise Linux 9.1and Red Hat Enterprise Linux 8.7.

November 22, 2022

Armory announced its new cloud-based solution called Continuous Deployment-as-a-Service, now available on the AWS Marketplace.

November 22, 2022

Rapid has has formally rebranded Paw to RapidAPI for Mac.

November 21, 2022

Red Hat announced the general availability of Migration Toolkit for Applications 6, based on the open source project Konveyor, aimed at helping customers accelerate large-scale application modernization efforts.

November 21, 2022

Palo Alto Networks signed a definitive agreement to acquire Cider Security (Cider).

November 17, 2022

OutSystems announced its new cloud-native development solution OutSystems Developer Cloud (ODC).

November 17, 2022

Retool announced Retool Workflows, a fast, extensible way for developers to build cron jobs, scheduled notifications, ETL tasks, and everything in between.

November 15, 2022

OutSystems announced the new OutSystems AI Mentor System.

November 15, 2022

Redpanda launched the general availability of its Redpanda Cloud managed service.

November 15, 2022

Edge Delta announced the launch of a free version, Edge Delta Free Edition, providing an intelligent and highly automated monitoring and troubleshooting experience for applications and services running in Kubernetes.

November 14, 2022

Codenotary announced TrueSBOM, a patent-pending, self-updating Software Bill of Materials (SBOM) for every application that is made possible by simply adding one line to the application source code.

November 14, 2022

Azion announced the release of the Azion Build product suite.

November 09, 2022

Puppet by Perforce announced the latest Long-Term Support (LTS) release of Puppet Enterprise.

November 09, 2022

Couchbase announced new enhancements to its database-as-a-service (DBaaS) Couchbase Capella.

November 09, 2022

Macrometa Corporation announced a new strategic equity investment, go-to-market partnership, and powerful product integrations with Akamai Technologies.