Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.
Understanding the API Security Disconnect
October 31, 2022
We recently published The API Security Disconnect: API Security Trends in 2022, which reveals some striking disconnects between the respondents' experiences with API security incidents, their lack of awareness of their own APIs, and their confidence in cloud service providers and others to provide API security.
The findings are more relevant today than ever given how APIs form the foundation of digital transformation. APIs enable critical connections between applications, platforms, and services. However, APIs also represent a significant and growing attack surface that is increasingly being exploited by cybercriminals. As the report suggests, APIs are vulnerable, and not enough is being done to protect them —a long with the potentially sensitive data they distribute.
Key Findings
The research showed that API security incidents are commonplace. Seventy-six percent of survey respondents experienced an API security incident in the previous 12 months. And these are incidents that they are aware of — the actual number is likely higher. The most common API security gaps identified in the survey were dormant or zombie APIs (19%), followed by authorization vulnerabilities (18%), and issues with Web Application Firewalls (17%).
Another alarming finding from the survey was that security managers lack visibility into their API inventories. Almost three in four survey respondents neither maintain a full API inventory nor know which of their APIs return sensitive data. Most are relying on network infrastructure providers, which honestly don't provide the required level of visibility for APIs. Just 47% of respondents who use such providers say they have visibility into their active APIs. Only 26% of respondents who use network infrastructure providers say they have visibility into zombie APIs, while 59% said the provider offered visibility into dormant APIs. This lack of awareness translates into API security risk because an invisible API is one that can be compromised without anyone being aware of the problem until it is too late to remediate.
The survey also uncovered that API security testing is not always timely. This is surprising given the prevalence of API security incidents and the high speed at which an API exploit can execute. Just 11% of respondents test APIs in real time.
22% of respondents said they only test APIs a minimum of once a week, while 28% test once a day and 39% are testing less than once a day but up to once per week.
71% of respondents say they are confident in the API security provided by their cloud service provider (CSP). This is startling considering 76% of respondents lack a full API inventory, and 74% experienced an API security incident in the last 12 months. This confidence would appear to be misplaced when viewed in the context of their actual API security experiences.
Further to this point, 67% of respondents expressed high levels of confidence in their traditional dynamic application security testing (DAST) and static application security testing (SAST) tools to test for API security vulnerabilities — something these tools do not adequately do.
UK vs. USA Results
CISOs and senior cybersecurity professionals in the US had somewhat different practices and perceptions of API security than their counterparts in the UK. In the case of real-time API security testing, the difference was pronounced: 14% of UK respondents reported testing in real time versus just 8% of those in the US.
Overall confidence in CSPs ability to handle API security also showed a discrepancy between outlooks in the US and UK. In the US, 80% of respondents were confident in their CSPs. In contrast, 61% of UK respondents had such confidence.
Vertical Market Overview
Results varied by industry, as well. As noted above, the survey covered six verticals: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities. Manufacturing reported the highest number of API security incidents (79%), followed by energy and utilities (78%).
Top API security vulnerability by vertical market:
■ Retail and eCommerce: Dormant or zombie APIs (22%)
■ Manufacturing: Dormant or zombie APIs (21%)
■ Healthcare: Authorization vulnerabilities (23%)
■ Financial services: Authorization vulnerabilities (21%)
■ Energy and utilities: Distributed denial of service (DDoS) attacks (21%)
■ Government and public sector: Web Application Firewall (WAF) compromise (20%)
Role type and comparisons
Survey respondents' views varied by role. CIOs seemed to have the best visibility into API inventories and which APIs returned sensitive data. Thirty-two percent of CIOs reported having this ability. In contrast, and perhaps a bit surprisingly, application security (AppSec) team members had the lowest levels of visibility, with 44% saying they had only a partial understanding of their API inventories and which APIs returned sensitive data.
C-level executives had the opposite experience when it came to API security incidents. Eighty-one percent of CISOs said they had experienced an incident in the last 12 months, while just 53% of AppSec team members reported one. These findings suggest that there may be a disconnect between senior leadership and operational teams.
Conclusion
Though we encourage you to read the full report on your own and come to your own conclusions, there is a key revelation in this report. That is that cybersecurity professionals are not fully grasping the seriousness of the risks they face from their APIs. While they admit they are experiencing API security incidents, they simultaneously share that they lack the kind of comprehensive awareness of their APIs that would help mitigate API security risks. They also place confidence in non-API-specific software testing tools, cloud platforms and network operators to protect their APIs, a confidence that is not warranted.
As APIs come under ever more serious attacks, the time seems to have come for these disconnects in API security to be addressed. The risks of inaction and misplaced confidence are too high to ignore.
Methodology: The API Security Disconnect: API Security Trends in 2022 is based on a survey conducted by Opinion Matters, an independent research organization, of 600 respondents from six vertical markets in the US and UK. Surveyed industries include financial services, manufacturing, healthcare, energy & utilities, government & public sector, as well as retail & eCommerce.
Industry News
November 20, 2024
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:
November 20, 2024
Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.
November 20, 2024
Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.
November 19, 2024
OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.
November 19, 2024
Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.
November 19, 2024
Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.
November 19, 2024
Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.
November 19, 2024
Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.
November 19, 2024
Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.
November 19, 2024
Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.
November 18, 2024
MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.
November 18, 2024
Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.
November 18, 2024
Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.
November 18, 2024
Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.
