F5 announced the findings of its
2024 State of Application Strategy Report: API Security,
revealing concerning truths about the current state of API security
across industries. The report highlights significant gaps in API
protection, exposing them to potential threats that could jeopardize
enterprise security and operations. These challenges are magnified by
the rapid proliferation of APIs in today's digital landscape.
The survey found that less than 70% of customer-facing APIs are secured
using HTTPS (Hypertext Transfer Protocol Secure), leaving nearly
one-third of these APIs completely unprotected. This is a stark contrast
to the 90% of web pages that are now accessed via HTTPS, following the
push for secure web communications over the past decade.
"APIs are becoming the backbone of digital transformation efforts,
connecting critical services and applications across organizations,"
said Lori MacVittie, Distinguished Engineer at F5. "However, as our
report indicates, many organizations are not keeping pace with the
security requirements needed to protect these valuable assets,
especially in the context of emerging AI-driven threats."
Key Findings of the Report Include:
-
Rapid growth and diverse environments: The average
organization now manages 421 different APIs, with most hosted in public
cloud environments. Despite this growth, a significant number of
APIs-particularly those that are customer-facing-remain unprotected.
-
Evolving API uses and security needs: As APIs
increasingly connect to AI services like OpenAI, the security model must
adapt to cover both inbound and outbound API traffic. Current practices
largely focus on inbound traffic, leaving outbound API calls
vulnerable.
-
Fragmented responsibility for API security: The report reveals a divided responsibility
for API security within organizations, with 53% managing it under
application security and 31% through API management and integration
platforms. This division can lead to gaps in coverage and inconsistent
security practices.
-
High demand for programmable security solutions:
Respondents ranked programmability as the most valuable API security
capability, underscoring the need for real-time inspection and response
to API traffic and threats.
Addressing the Gaps in API Security
To address these security gaps, the report recommends organizations
adopt comprehensive security solutions that can cover the entire API
lifecycle, from design through deployment. By integrating API security
into both development and operational phases, organizations can better
protect their digital assets against a growing array of threats.
"APIs are integral to the AI era, but they must be secured to ensure
that AI and digital services can operate safely and effectively," added
MacVittie. "This report is a call to action for organizations to
re-evaluate their API security strategies and take the necessary steps
to protect their data and services."