In the battle to secure APIs, many organizations are losing. The reason being that many organizations don't know the extent of API risk. From complacency in creating comprehensive security risk profiles for APIs, failing to pinpoint API endpoints managing sensitive data without adequate authentication, and deferring finding a consensus on who should own the responsibility of API security, organizations are coming up short.
Traceable AI partnered with the Ponemon Institute to conduct a survey of over 1,600 cybersecurity professionals across the US, UK and EU, titled The 2023 State of API Security: A Global Study on the Reality of API Risk. Here's what we learned:
Persistent and Escalating API Breaches and Challenges Lead to Harsh Consequences
Unfortunately, API-related breaches are alarmingly common. The majority of organizations surveyed (60%) have fallen victim to API-related incidents within the past two years, and out of those, 74% suffered from three or more breaches. Worse, 23% endured over six breaches. These findings suggest a consistent security gap.
The consequences of API data breaches are brutal. Financial loss and loss of intellectual property (IP) were the most severe experienced by 52% of the affected organizations. Brand value erosion was also reported by 50% of respondents.
And the risks are only expected to worsen. 61% of respondents anticipate that API risks will increase over the next 12 to 24 months.
While maintaining an accurate API inventory and prioritizing APIs for remediation emerged as considerable hurdles, one of the biggest challenges proves to be API sprawl.
Nearly half of the respondents (48%) highlight preventing API sprawl as a top issue. API sprawl is when many APIs of different types are spread over many locations and managed by different teams. The result is zombie APIs, which remain in the shadows, unused, and vulnerable to attacks.
Who Owns API Security?
A huge contributor to the problem of API sprawl and growing API breaches is the lack of consensus on where the responsibility for API security should ideally reside. When asked this question, roles like CISO/CSO, CIO/CTO, and the Head of Quality Assurance were all within a few percentage points of each other.
In addition, only 43% of organizations have policies and procedures in place to manage and oversee the use of APIs, and only 44% of respondents say their organizations are highly effective in ensuring APIs are consistent across an organization.
On one hand, this could be a sign of the nature of API security, which necessitates collaboration across departments. On the other hand, it might point to a lack of clarity or potential silos within organizations, leading to possible inefficiencies or overlaps in efforts.
So How Do We Solve It? Embrace Zero Trust
A zero-trust architecture aims to move defenses from static, network-based perimeters to users, assets and resources. Traditional perimeter-based solutions such as WAFs, WAAP, VPNs, next-gen firewalls and network access control (NAC) products are ineffective at securing the expanding API attack surface. Zero Trust segments access and limits user permissions to specific applications and services and assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.
40% of organizations have adopted a Zero Trust framework and of these respondents, 55% say their Zero Trust strategy includes API security.
The maturity of most organizations' Zero Trust strategy is at the early adoption or middle adoption stages with early adopters at 27% and middle stage adopters at 32%.
What the Future Holds
APIs, once seen as mere tools of interconnectivity, have clearly established their centrality in the modern digital ecosystem. This extensive survey not only sheds light on their current significance but also underscores their escalating role in the future.
From the data, we can conclude that API security is not an optional or secondary consideration. It's a necessity, a lifeline. Organizations have come to recognize that APIs, while being enablers of digital transformation, are also potential entry points for compromise.
There's hope in the statistics: the embrace of Zero Trust security strategies, with a particular focus on APIs, is a step in the right direction. Moreover, the acknowledgment that APIs broaden the attack surface reaffirms their criticality. With a prevailing sentiment that API risks will surge in the future, the imperative to bolster security measures becomes even more pronounced.
As we gaze into the future of API security, two things are clear: the increasing integration of APIs will bring both promise and challenges. API security will not only be an operational requirement but a cornerstone of enterprise strategy.