Broadcom announced the general availability of VMware Tanzu Platform 10 that establishes a new layer of abstraction across Cloud Foundry infrastructure foundations to make it easier, faster, and less expensive to bring new applications, including GenAI applications, to production.
In the battle to secure APIs, many organizations are losing. The reason being that many organizations don't know the extent of API risk. From complacency in creating comprehensive security risk profiles for APIs, failing to pinpoint API endpoints managing sensitive data without adequate authentication, and deferring finding a consensus on who should own the responsibility of API security, organizations are coming up short.
Traceable AI partnered with the Ponemon Institute to conduct a survey of over 1,600 cybersecurity professionals across the US, UK and EU, titled The 2023 State of API Security: A Global Study on the Reality of API Risk. Here's what we learned:
Persistent and Escalating API Breaches and Challenges Lead to Harsh Consequences
Unfortunately, API-related breaches are alarmingly common. The majority of organizations surveyed (60%) have fallen victim to API-related incidents within the past two years, and out of those, 74% suffered from three or more breaches. Worse, 23% endured over six breaches. These findings suggest a consistent security gap.
The consequences of API data breaches are brutal. Financial loss and loss of intellectual property (IP) were the most severe experienced by 52% of the affected organizations. Brand value erosion was also reported by 50% of respondents.
And the risks are only expected to worsen. 61% of respondents anticipate that API risks will increase over the next 12 to 24 months.
While maintaining an accurate API inventory and prioritizing APIs for remediation emerged as considerable hurdles, one of the biggest challenges proves to be API sprawl.
Nearly half of the respondents (48%) highlight preventing API sprawl as a top issue. API sprawl is when many APIs of different types are spread over many locations and managed by different teams. The result is zombie APIs, which remain in the shadows, unused, and vulnerable to attacks.
Who Owns API Security?
A huge contributor to the problem of API sprawl and growing API breaches is the lack of consensus on where the responsibility for API security should ideally reside. When asked this question, roles like CISO/CSO, CIO/CTO, and the Head of Quality Assurance were all within a few percentage points of each other.
In addition, only 43% of organizations have policies and procedures in place to manage and oversee the use of APIs, and only 44% of respondents say their organizations are highly effective in ensuring APIs are consistent across an organization.
On one hand, this could be a sign of the nature of API security, which necessitates collaboration across departments. On the other hand, it might point to a lack of clarity or potential silos within organizations, leading to possible inefficiencies or overlaps in efforts.
So How Do We Solve It? Embrace Zero Trust
A zero-trust architecture aims to move defenses from static, network-based perimeters to users, assets and resources. Traditional perimeter-based solutions such as WAFs, WAAP, VPNs, next-gen firewalls and network access control (NAC) products are ineffective at securing the expanding API attack surface. Zero Trust segments access and limits user permissions to specific applications and services and assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.
40% of organizations have adopted a Zero Trust framework and of these respondents, 55% say their Zero Trust strategy includes API security.
The maturity of most organizations' Zero Trust strategy is at the early adoption or middle adoption stages with early adopters at 27% and middle stage adopters at 32%.
What the Future Holds
APIs, once seen as mere tools of interconnectivity, have clearly established their centrality in the modern digital ecosystem. This extensive survey not only sheds light on their current significance but also underscores their escalating role in the future.
From the data, we can conclude that API security is not an optional or secondary consideration. It's a necessity, a lifeline. Organizations have come to recognize that APIs, while being enablers of digital transformation, are also potential entry points for compromise.
There's hope in the statistics: the embrace of Zero Trust security strategies, with a particular focus on APIs, is a step in the right direction. Moreover, the acknowledgment that APIs broaden the attack surface reaffirms their criticality. With a prevailing sentiment that API risks will surge in the future, the imperative to bolster security measures becomes even more pronounced.
As we gaze into the future of API security, two things are clear: the increasing integration of APIs will bring both promise and challenges. API security will not only be an operational requirement but a cornerstone of enterprise strategy.
Industry News
Tricentis announced the expansion of its test management and analytics platform, Tricentis qTest, with the launch of Tricentis qTest Copilot.
Redgate is introducing two new machine learning (ML) and artificial intelligence (AI) powered capabilities in its test data management and database monitoring solutions.
Upbound announced significant advancements to its platform, targeting enterprises building self-service cloud environments for their developers and machine learning engineers.
Edera announced the availability of Am I Isolated, an open source container security benchmark that probes users runtime environments and tests for container isolation.
Progress announced 10 years of partnership with emt Distribution — a leading cybersecurity distributor in the Middle East and Africa.
Port announced $35 million in Series B funding, bringing its total funding to $58M to date.
Parasoft has made another step in strategically integrating AI and ML quality enhancements where development teams need them most, such as using natural language for troubleshooting or checking code in real time.
MuleSoft announced the general availability of full lifecycle AsyncAPI support, enabling organizations to power AI agents with real-time data through seamless integration with event-driven architectures (EDAs).
Numecent announced they have expanded their Microsoft collaboration with the launch of Cloudpager's new integration to App attach in Azure Virtual Desktop.
Progress announced the completion of the acquisition of ShareFile, a business unit of Cloud Software Group, providing a SaaS-native, AI-powered, document-centric collaboration platform, focusing on industry segments including business and professional services, financial services, industrial and healthcare.
Incredibuild announced the acquisition of Garden, a provider of DevOps pipeline acceleration solutions.
The Open Source Security Foundation (OpenSSF) announced an expansion of its free course “Developing Secure Software” (LFD121).
Redgate announced that its core solutions are listed in Amazon Web Services (AWS) Marketplace.
LambdaTest introduced a suite of new features to its AI-powered Test Manager, designed to simplify and enhance the test management experience for software development and QA teams.