It’s a tough transition for SOCs who went from pre-pandemic “we’ve got this” to post-pandemic “we’re barely holding on.” So much has changed, and making every business interaction digital over the course of a few short years has had its effect on not only security reality but on security morale.
Nowhere is this more felt than in the realm of APIs. API platform vendor Postman recorded less than a million API calls in 2006 – as of 2021, they received over 46 million. Another industry report by Rapid reveals that roughly 70% of developers plan to increase API use this year. So many APIs in so little time can lead many to wonder – are we protecting them all correctly?
Many think not.
How safe are your APIs?
According to API security vendor Salt, last December saw a total of 4,845 API-based attacks on their customer base alone, a 400% increase over just a few months prior. Some of the findings in their Q1 2023 State of API Security report may reveal why.
- Authentication isn’t enough. In the past, requiring strong authentication was enough to ensure proper access to sensitive API assets. However, that tide has changed. Salt found that 78% of attacks come from bad actors who have found a way to authenticate correctly (think stolen credentials, brute-forced passwords, and social engineering ploys).
- API concerns are reaching the C-suite. APIs are no longer a security issue – they’re a business driver. As such, their welfare is everyone’s business, C-suite not excluded. As APIs underpin each new application, development, and roll-out, their well-being is central to the well-being of the company. With 59% of respondents experiencing product delays from API security issues, it’s no wonder that nearly half (48%) said that API security became a C-level topic last year.
- API security challenges continue to rise. Nearly all companies with APIs experienced API security issues last year (a staggering 94%). These challenges are attributable to vulnerabilities (41%), authentication issues (40%), and sensitive data exposure (31%).
- 66% of attacks leverage OWASP vulnerabilities. It’s easy to look beyond the mark. The OWASP Top 10 represents the most critical security risks to web applications, and Salt data revealed that 66% of attacks leveraged at least one OWASP vulnerability. However, only 54% of respondents’ organizations made OWASP a priority focus area.
- “Zombie” APIs are still out there. It’s not pretty: the undead APIs are a top concern to over 54% of participants surveyed. This is when developers spin up new APIs and forget to de-provision the older ones. Since no one is taking note of them (except maybe attackers), they go unpatched and undocumented, leaving them as stale, open inroads into your organization. The fact that Salt survey respondents also cited documentation challenges is a likely indicator that the threat of languishing, liable APIs is even greater than that.
These statistics are painful, given that nearly 90% of the world’s developers use APIs (and this was back in 2020 – there could be more now). As APIs make and break records for CI/CD speed, companies may put the cart before the horse and gamble with the ultimate good that APIs provide. It’s a delicate balance: while rapidly testing and deploying APIs leads to progress, more APIs are only better if they’re not a latent liability. API security needs to scale with API proliferation.
So many APIs, so little time
Businesses and the DevSecOps people on the front lines can’t rest easy knowing how extensively APIs are used and how little they are protected. For example:
- Over 93% of Communications Services providers use OpenAPI
- Open Banking will have 130 million users by 2024, and that means huge implications for the APIs that support it
- APIs in Healthcare are growing by a 6.3% CAGR
This is a little concerning, given that 91% of organizations experienced an API security incident in 2020, and 83% of all internet traffic comes from API-based services.
Shoring up API security
Gartner predicts that “by 2025, less than 50% of enterprise APIs will be managed.” This means that for nearly every API with potential access to sensitive in-app data, another one is openly exposed. It’s no wonder API attacks were in the 90th percentile – it’s a veritable heyday for attackers.
Unfortunately, until businesses adopt API security at the rate of adopting additional APIs, those numbers will continue to increase.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.