Corsha Inc. released
new research that paints a picture of cybersecurity professionals who are both
frustrated over how much time and attention they must devote to API security
and worried that their defenses still remain inadequate.
The Corsha team recently
surveyed more than 400 security and engineering professionals to learn about
their API secrets management practices and the challenges they face in
thwarting API attacks. Among the key takeaways:
- 86% of respondents spend up to 15
hours a week provisioning, managing, and dealing with secrets.
- Over half (53%) of respondents have
already experienced a data breach with unauthorized access to their networks or
apps due to compromised API tokens.
- 72% of respondents use a secrets
management solution yet over half (56%) are still concerned about a potential
data breach due to their current secrets management practices.
"Security and engineering
teams are forced to divert their attention away from forward-facing engineering
to focus on secrets management, yet their organizations remain vulnerable to
attackers both through lateral attacks and leaked or compromised API secrets to
gain illegitimate access to sensitive data," said Jared Elder, Chief Growth
Officer at Corsha. "Data is everything and the potential risk from data
breaches associated with leaked API secrets is clearly high and
growing. Yet with an explosion of credentials to provision, rotate,
and manage, the good guys find themselves constantly behind the eight
ball."
A
Rapidly Changing Threat Landscape
API usage has exploded
over the last several years as companies continue to expand their adoption of
could native technologies and API-driven ecosystems such as microservices and
serverless architectures, hybrid cloud infrastructures, CI/CD pipelines, and a
host of other applications and services that are sending and receiving
sensitive information through APIs. According to the Corsha survey, 44% of
respondents host their API services across multiple clouds. For many
enterprises, this often means disjointed secrets management solutions across
disparate environments.
As a result, Corsha survey
respondents spend an inordinate amount of time managing API tokens. 78%
reported they manage at least 250 API tokens, keys, or certificates across
their networks. Unfortunately, their security strategies for API-based
communication cannot keep up with the level of scale and automation that's
possible today.
Outdated
Approaches to a Modern Security Challenge
All APIs have one thing in
common: they connect services to facilitate data transfers. That makes them a
favorite target for hackers as the number of APIs that depend on secrets
increases, and workflows (e.g., secret provisioning and sharing, secret
management, monitoring, control) become more difficult.
According to the Corsha
survey, the top three API secrets management pain points are:
- Working with certificate authorities (44%)
- Rotating secrets (37%)
- Provisioning secrets (36%)
The methods respondents
most commonly use to address these pain points are often dated, manual,
error-prone, and cumbersome.
While many security teams
assign specific entitlements to API keys, tokens, and certificates, the survey
discovered that more than 42% do not. That means they're granting
all-or-nothing access to any users bearing these credentials, which although is
the path of least resistance in access management, also increases the security
risk.
Corsha's researchers also
found that more than 50% of respondents have little-to-no visibility into the
machines, devices, or services (i.e., clients) that leverage the API tokens,
keys, or certificates that their organizations are provisioning. Limited
visibility can lead to secrets that are forgotten, neglected, or left behind,
making them prime targets for bad actors to exploit undetected by traditional
security tools and best practices.
Another red flag: although
54% of respondents rotate their secrets at least once a month, over 25% admit
that they can take as long as a year to rotate secrets. The
long-lived, static nature of these bearer secrets make them prime targets for adversaries,
much like the static nature of passwords to online accounts.
API
Security Best Practices
The Corsha report also
outlines what organizations can do to implement effective secrets management
processes, including:
- Integrating a good secrets manager to
gain overall visibility into all secrets
- Using mTLS when and where possible
- Always set a short expiry on secrets
when possible
- Always sign and verify
tokens
- Don't store or pass secrets in
plaintext
"Today, even the most
robust modern secrets management implementation isn't sufficient to prevent
APIs from being exploited, which explains why over half of our survey
respondents highlighted the continuing worry of suffering a potential data
breach due to their current secrets management practices," added Scott Hopkins,
Chief Operating Officer at Corsha. "The heavy administrative
workload and exceedingly manual processes for maintaining good security hygiene
around secrets management create significant opportunities for error or
oversight. Organizations would benefit from a stronger, automated,
and highly scalable answer to their API authentication woes that can readily
integrate into any environment. Corsha provides a robust added
factor to API authentication to protect an organization's critical systems and
data from savvy and opportunistic bad actors."
It's also important for
security and development teams to recognize that risk is predominantly shifting
from human to machine to machine-to-machine and consider what needs to be done
to account for this transformation.
Corsha is on a mission to
simplify API security and allow enterprises, developers, and DevSecOps teams to
embrace modernization, complex deployments, and hybrid environments with
confidence. Using a dynamic, blockchain-based machine identity, Corsha has
developed a patented way to provide multi-factor authentication (MFA) for APIs,
where API access may be pinned to only trusted machines. With Corsha, each API
call now requires a fresh, one-time use credential, enabling zero-trust access
for an organization's API services.
Download the Corsha State of API Secrets Management
Report.