The Battle of Securing APIs: 2023 State of API Security At-A-Glance
November 06, 2023

Richard Bird
Traceable AI

In the battle to secure APIs, many organizations are losing. The reason being that many organizations don't know the extent of API risk. From complacency in creating comprehensive security risk profiles for APIs, failing to pinpoint API endpoints managing sensitive data without adequate authentication, and deferring finding a consensus on who should own the responsibility of API security, organizations are coming up short.


Traceable AI partnered with the Ponemon Institute to conduct a survey of over 1,600 cybersecurity professionals across the US, UK and EU, titled The 2023 State of API Security: A Global Study on the Reality of API Risk. Here's what we learned:

Persistent and Escalating API Breaches and Challenges Lead to Harsh Consequences

Unfortunately, API-related breaches are alarmingly common. The majority of organizations surveyed (60%) have fallen victim to API-related incidents within the past two years, and out of those, 74% suffered from three or more breaches. Worse, 23% endured over six breaches. These findings suggest a consistent security gap.

The consequences of API data breaches are brutal. Financial loss and loss of intellectual property (IP) were the most severe experienced by 52% of the affected organizations. Brand value erosion was also reported by 50% of respondents.

And the risks are only expected to worsen. 61% of respondents anticipate that API risks will increase over the next 12 to 24 months.

While maintaining an accurate API inventory and prioritizing APIs for remediation emerged as considerable hurdles, one of the biggest challenges proves to be API sprawl.

Nearly half of the respondents (48%) highlight preventing API sprawl as a top issue. API sprawl is when many APIs of different types are spread over many locations and managed by different teams. The result is zombie APIs, which remain in the shadows, unused, and vulnerable to attacks.

Who Owns API Security?

A huge contributor to the problem of API sprawl and growing API breaches is the lack of consensus on where the responsibility for API security should ideally reside. When asked this question, roles like CISO/CSO, CIO/CTO, and the Head of Quality Assurance were all within a few percentage points of each other.

In addition, only 43% of organizations have policies and procedures in place to manage and oversee the use of APIs, and only 44% of respondents say their organizations are highly effective in ensuring APIs are consistent across an organization.

On one hand, this could be a sign of the nature of API security, which necessitates collaboration across departments. On the other hand, it might point to a lack of clarity or potential silos within organizations, leading to possible inefficiencies or overlaps in efforts.

So How Do We Solve It? Embrace Zero Trust

A zero-trust architecture aims to move defenses from static, network-based perimeters to users, assets and resources. Traditional perimeter-based solutions such as WAFs, WAAP, VPNs, next-gen firewalls and network access control (NAC) products are ineffective at securing the expanding API attack surface. Zero Trust segments access and limits user permissions to specific applications and services and assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

40% of organizations have adopted a Zero Trust framework and of these respondents, 55% say their Zero Trust strategy includes API security.

The maturity of most organizations' Zero Trust strategy is at the early adoption or middle adoption stages with early adopters at 27% and middle stage adopters at 32%.

What the Future Holds

APIs, once seen as mere tools of interconnectivity, have clearly established their centrality in the modern digital ecosystem. This extensive survey not only sheds light on their current significance but also underscores their escalating role in the future.

From the data, we can conclude that API security is not an optional or secondary consideration. It's a necessity, a lifeline. Organizations have come to recognize that APIs, while being enablers of digital transformation, are also potential entry points for compromise.

There's hope in the statistics: the embrace of Zero Trust security strategies, with a particular focus on APIs, is a step in the right direction. Moreover, the acknowledgment that APIs broaden the attack surface reaffirms their criticality. With a prevailing sentiment that API risks will surge in the future, the imperative to bolster security measures becomes even more pronounced.

As we gaze into the future of API security, two things are clear: the increasing integration of APIs will bring both promise and challenges. API security will not only be an operational requirement but a cornerstone of enterprise strategy.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

May 02, 2024

Parasoft announces the opening of its new office in Northeast Ohio.

May 02, 2024

Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.

May 02, 2024

Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.

May 02, 2024

Nokod Security announced the general availability of the Nokod Security Platform.

May 02, 2024

Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.

May 01, 2024

Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.

May 01, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.

May 01, 2024

ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.

May 01, 2024

Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.

May 01, 2024

Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.

April 30, 2024

Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.

April 30, 2024

Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.

April 30, 2024

F5 announced new security offerings: F5 Distributed Cloud Services Web Application Scanning, BIG-IP Next Web Application Firewall (WAF), and NGINX App Protect for open source deployments.

April 29, 2024

Code Intelligence announced a new feature to CI Sense, a scalable fuzzing platform for continuous testing.

April 29, 2024

WSO2 is adding new capabilities for WSO2 API Manager, WSO2 API Platform for Kubernetes (WSO2 APK), and WSO2 Micro Integrator.