40% of Organizations Do Not Have an API Security Solution - Here's What That Means
June 27, 2023

Richard Bird
Traceable AI

The news of T-Mobile's security breach earlier this year was met with an air of inevitability in cybersecurity circles, particularly when it was revealed that an API was the culprit that exposed the sensitive data of 37 million of their customers. This event serves as a reminder of the perils that accompany the transition of many organizations towards a Cloud-first, API-first model. While this shift is undeniable, so too is the resultant API sprawl and the increased incidents of API-related cyber attacks and breaches.

A recurring narrative is emerging in today's digital landscape, characterized by organizations grappling with managing and safeguarding the growing number of APIs within their ecosystem.

Use the player or download the MP3 below to listen to Cybersecurity Awesomeness Podcast - Episode 5 — Chris Steffen and Ken Buckler from EMA discuss API Security.

Click here for a direct MP3 download of Episode 5

At the 2023 RSA Conference, a survey conducted by Traceable brought some troubling facts to the surface about how organizations are handling their API security — a theme that has become ground zero in cybersecurity circles. The survey results were unsettling, indicating that a significant 40% of respondents were operating without an API security solution. Furthermore, 29% did not know whether their organization had any measure in place to secure APIs.

These results underscore the imperative for organizations to immediately secure the full breadth of their API ecosystem. This includes understanding how many APIs they have, where those APIs reside, and what those APIs are doing.

API Security Ownership Remains Fragmented

The issue of API security ownership is fraught with fragmentation among various teams, complicating the scenario further. According to the survey, the landscape is a mix of varying perspectives, with 38% of respondents assigning ownership to the CISO, while 25% stated that development and/or DevOps were the stewards of API security. A further 24% of respondents are in the dark about who holds this responsibility.

It's crucial that we address this uncertainty. This lack of clarity can foster serious blind spots in security coverage, potentially paving the way for API-related breaches. Creating a culture of shared accountability and fostering open communication between different teams can help address these gaps.

Battling API Sprawl

A staggering 66% of the survey respondents either grapple with API sprawl or are uncertain about their organization's competence in managing it effectively. Contending with API sprawl goes beyond API Discovery; it requires a comprehensive strategy encompassing security posture management, threat protection, and threat management. Absent these key pillars, any unknown API becomes a sitting duck for cyber attacks.

Adding another layer to this challenge are the so-called "Zombie APIs." These are outdated, ostensibly disabled APIs that continue to lurk in the shadows of the application infrastructure. They present an additional and often overlooked risk, being ripe for exploitation through a range of API attacks. The consequences of such breaches can be severe, extending from account takeover to fraudulent transactions. In the absence of diligent tracking and management, these Zombie APIs can be accessed easily to harvest data, often allowing malevolent activities to fly under the radar.

Failure to Baseline API Behavior

Among those organizations with dedicated API security solutions, a concerning 25% revealed that their solutions are unable to baseline API behavior. This leaves them blind to both normal and abnormal behavior and therefore, to any anomalies potentially indicative of an API attack. Even more alarming is the fact that half of the respondents confessed their uncertainty regarding the presence of such capabilities in their API security solution.

Baselining — the process of defining what constitutes normal and abnormal API activity — is the hinge of API security. This is ideally done with an API data lake at the core of the solution. It equips organizations with a deep understanding of API context, allowing deviations — possible indicators of an attack or malicious intent — to be spotted more easily. Without this, malevolent activities of threat actors could seamlessly blend into the regular traffic, making them much harder to detect and counter.

The Time is Now

What makes APIs so dangerous is that they present the largest attack surface we have ever encountered in the industry. In the past, hackers had to find ways of bypassing existing solutions, such as WAFs, DLP, or API Gateways, in order to find data and disrupt systems. Now, they can simply exploit an API, and obtain access to sensitive data, and not even have to exploit the other solutions in the security stack.

This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy.

Correcting some of the common challenges above begins with designating API security responsibility to a specific person or group. Rather than choosing between security and DevOps teams, many organizations are creating integrated DevSecOps teams to cater to their API security needs due to shared initiatives. No matter which group(s) your organization selects to own API security, make sure everyone involved is fully aware of their responsibilities and expectations.

Breaches of unmonitored, unsecured APIs can also be prevented with a complete API security solution — one that includes security posture management, threat protection and threat management, across the entire software development lifecycle. Once the solutions and responsibilities are in place, organizations should consider a Zero Trust approach to API access. This can actively reduce the attack surface by minimizing or eliminating implied and persistent trust for APIs.

At the end of the day, successful cybersecurity is not about reacting to threats, but proactively mitigating them. Ensuring robust API security is an essential component of this proactive approach.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023

Solo.io achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.