Noname
Security announced the
findings from its API security report, "The
API Security Disconnect - API Security Trends in 2022." The report reveals a
rapidly growing number of API security incidents concerning lack of API
visibility, and a level of misplaced confidence in existing controls.
Over
three-quarters (76%) of respondents have suffered an API security incident in
the last 12 months, primarily caused by Dormant/Zombie APIs, Authorization
Vulnerabilities, and Web Application Firewalls.
Furthermore,
nearly three-quarters (74%) of cybersecurity professionals do not have a
complete API inventory or know which APIs return sensitive data.
This
implies that the majority of respondents will struggle to fix API security threats
- and not know which to prioritize - if they do not have real-time granular
visibility into the APIs in their ecosystems.
Other key findings include:
- 71% were confident and
satisfied that they were receiving sufficient API protection.
- Less than half (48%)
of respondents have visibility into the security posture of Active APIs.
- Only 11% of
respondents test APIs for signs of abuse in real-time.
- 39% test less than once per day and up to once per week
- 67% of respondents are confident that their DAST and SAST tools
are capable of testing APIs.
Shay
Levi, Noname Security CTO and co-founder, comments on the findings: "Our research has exposed a
disconnect between the high level of incidents, low levels of visibility,
effective monitoring and testing of the API environment, and misplaced
confidence that current tools are preventing attacks. This emphasizes the need
for further education by Security, AppSec, and development teams around the
realities of API security testing."
Legacy-based
sectors struggle to keep pace with API security testing
Critical
infrastructure sectors such as manufacturing and energy & utilities, which
typically rely on legacy systems, ranked unfavorably when measured on a number
of metrics. They ranked worst on the percentage of API security incidents in
the last 12 months, with 79% of manufacturing and 78% of energy & utilities
respondents saying they had experienced incidents, of which they were aware.
Energy
& utilities companies were also the least likely to have a complete
inventory of APIs and know which return sensitive data, with just 19% confident
about this issue. Manufacturing organizations found it most difficult to scale
API security solutions, with just 30% saying they found it easy. Furthermore,
real-time testing was at its lowest in energy & utilities (7%), while
manufacturing and energy & utilities were most likely to conduct API
security testing less frequently than once per month, with 20% and 21% doing
this, respectively.
The
relative lack of testing in these critical infrastructure sectors correlates
with the number of API security incidents they have suffered in the last 12
months. This emphasizes the need for standards to be raised in sectors where
personal identifiable information and intellectual property can potentially be
seized by bad actors, let alone where physical infrastructure and vital
services are at risk.
US
and UK differ over API visibility and reporting
There
were a number of differences in monitoring and visibility of APIs between the
two countries surveyed, especially when it comes to reporting in real-time.
More UK respondents (28%) have full API inventories and know which return
sensitive data, compared to the US (24%).
Furthermore,
an increased number of respondents in the US (44%) had visibility into their
complete inventory of APIs, but were not aware of those returning sensitive
data, compared to 38% in the UK. This could suggest that US organizations are
more concerned with API-driven growth than securing existing APIs.
Disparity
in API security approach across job roles
Responses
from Application Security (AppSec) teams appear to differ considerably from
other job functions surveyed. Compared to 81% of CISOs saying that they have
experienced an API security incident, only 53% of AppSec professionals said
they had. Additionally, 58% of CIOs said it was easy to scale API security
solutions, while nearly a third (29%) of AppSec respondents admitted this was
difficult.
In
terms of testing, only 7% of AppSec professionals tested in real-time for signs
of abuse, while 25% stated that they test for API security vulnerabilities less
than once a week and up to once per month.
"The
ongoing prioritization of digital transformation initiatives is introducing an
increased number of applications - and therefore APIs - into organizations'
ecosystems," added
Levi. "The perceived gaps around
API security testing between different job functions begs the question as to
whether there is a lack of consistency across organizations of what is
happening on the frontline. This needs to be addressed urgently; application
development needs to adopt a ‘shift left' approach to security testing, so that
testing is undertaken pre-production and teams need to be educated about the benefits
of doing this.
"We've
seen from the likes of Gartner that APIs are quickly becoming the most popular
attack vector. Our research demonstrates that if businesses don't address the
security vulnerabilities and widening attack surface presented by an increasing
number of APIs, their ability to innovate and offer end-user-friendly solutions
will be stifled by potentially debilitating cyber-attacks," concluded Levi.
Noname
Security commissioned independent research organization, Opinion Matters, to
undertake the survey in July 2022. 600 senior cybersecurity professionals in
the US and UK were surveyed from across a variety of enterprise organizations
in six key vertical market sectors: financial services, retail & eCommerce,
healthcare, government & public sector, manufacturing, and energy &
utilities.
Read the full results from Noname Security's "The API Security
Disconnect - API Security Trends in 2022"
report.