The Battle of Securing APIs: 2023 State of API Security At-A-Glance
November 06, 2023

Richard Bird
Traceable AI

In the battle to secure APIs, many organizations are losing. The reason being that many organizations don't know the extent of API risk. From complacency in creating comprehensive security risk profiles for APIs, failing to pinpoint API endpoints managing sensitive data without adequate authentication, and deferring finding a consensus on who should own the responsibility of API security, organizations are coming up short.

Traceable AI partnered with the Ponemon Institute to conduct a survey of over 1,600 cybersecurity professionals across the US, UK and EU, titled The 2023 State of API Security: A Global Study on the Reality of API Risk. Here's what we learned:

Persistent and Escalating API Breaches and Challenges Lead to Harsh Consequences

Unfortunately, API-related breaches are alarmingly common. The majority of organizations surveyed (60%) have fallen victim to API-related incidents within the past two years, and out of those, 74% suffered from three or more breaches. Worse, 23% endured over six breaches. These findings suggest a consistent security gap.

The consequences of API data breaches are brutal. Financial loss and loss of intellectual property (IP) were the most severe experienced by 52% of the affected organizations. Brand value erosion was also reported by 50% of respondents.

And the risks are only expected to worsen. 61% of respondents anticipate that API risks will increase over the next 12 to 24 months.

While maintaining an accurate API inventory and prioritizing APIs for remediation emerged as considerable hurdles, one of the biggest challenges proves to be API sprawl.

Nearly half of the respondents (48%) highlight preventing API sprawl as a top issue. API sprawl is when many APIs of different types are spread over many locations and managed by different teams. The result is zombie APIs, which remain in the shadows, unused, and vulnerable to attacks.

Who Owns API Security?

A huge contributor to the problem of API sprawl and growing API breaches is the lack of consensus on where the responsibility for API security should ideally reside. When asked this question, roles like CISO/CSO, CIO/CTO, and the Head of Quality Assurance were all within a few percentage points of each other.

In addition, only 43% of organizations have policies and procedures in place to manage and oversee the use of APIs, and only 44% of respondents say their organizations are highly effective in ensuring APIs are consistent across an organization.

On one hand, this could be a sign of the nature of API security, which necessitates collaboration across departments. On the other hand, it might point to a lack of clarity or potential silos within organizations, leading to possible inefficiencies or overlaps in efforts.

So How Do We Solve It? Embrace Zero Trust

A zero-trust architecture aims to move defenses from static, network-based perimeters to users, assets and resources. Traditional perimeter-based solutions such as WAFs, WAAP, VPNs, next-gen firewalls and network access control (NAC) products are ineffective at securing the expanding API attack surface. Zero Trust segments access and limits user permissions to specific applications and services and assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

40% of organizations have adopted a Zero Trust framework and of these respondents, 55% say their Zero Trust strategy includes API security.

The maturity of most organizations' Zero Trust strategy is at the early adoption or middle adoption stages with early adopters at 27% and middle stage adopters at 32%.

What the Future Holds

APIs, once seen as mere tools of interconnectivity, have clearly established their centrality in the modern digital ecosystem. This extensive survey not only sheds light on their current significance but also underscores their escalating role in the future.

From the data, we can conclude that API security is not an optional or secondary consideration. It's a necessity, a lifeline. Organizations have come to recognize that APIs, while being enablers of digital transformation, are also potential entry points for compromise.

There's hope in the statistics: the embrace of Zero Trust security strategies, with a particular focus on APIs, is a step in the right direction. Moreover, the acknowledgment that APIs broaden the attack surface reaffirms their criticality. With a prevailing sentiment that API risks will surge in the future, the imperative to bolster security measures becomes even more pronounced.

As we gaze into the future of API security, two things are clear: the increasing integration of APIs will bring both promise and challenges. API security will not only be an operational requirement but a cornerstone of enterprise strategy.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.