Pegasystems announced the general availability of Pega Infinity ’24.1™.
We recently published The API Security Disconnect: API Security Trends in 2022, which reveals some striking disconnects between the respondents' experiences with API security incidents, their lack of awareness of their own APIs, and their confidence in cloud service providers and others to provide API security.
The findings are more relevant today than ever given how APIs form the foundation of digital transformation. APIs enable critical connections between applications, platforms, and services. However, APIs also represent a significant and growing attack surface that is increasingly being exploited by cybercriminals. As the report suggests, APIs are vulnerable, and not enough is being done to protect them —a long with the potentially sensitive data they distribute.
Key Findings
The research showed that API security incidents are commonplace. Seventy-six percent of survey respondents experienced an API security incident in the previous 12 months. And these are incidents that they are aware of — the actual number is likely higher. The most common API security gaps identified in the survey were dormant or zombie APIs (19%), followed by authorization vulnerabilities (18%), and issues with Web Application Firewalls (17%).
Another alarming finding from the survey was that security managers lack visibility into their API inventories. Almost three in four survey respondents neither maintain a full API inventory nor know which of their APIs return sensitive data. Most are relying on network infrastructure providers, which honestly don't provide the required level of visibility for APIs. Just 47% of respondents who use such providers say they have visibility into their active APIs. Only 26% of respondents who use network infrastructure providers say they have visibility into zombie APIs, while 59% said the provider offered visibility into dormant APIs. This lack of awareness translates into API security risk because an invisible API is one that can be compromised without anyone being aware of the problem until it is too late to remediate.
The survey also uncovered that API security testing is not always timely. This is surprising given the prevalence of API security incidents and the high speed at which an API exploit can execute. Just 11% of respondents test APIs in real time.
22% of respondents said they only test APIs a minimum of once a week, while 28% test once a day and 39% are testing less than once a day but up to once per week.
71% of respondents say they are confident in the API security provided by their cloud service provider (CSP). This is startling considering 76% of respondents lack a full API inventory, and 74% experienced an API security incident in the last 12 months. This confidence would appear to be misplaced when viewed in the context of their actual API security experiences.
Further to this point, 67% of respondents expressed high levels of confidence in their traditional dynamic application security testing (DAST) and static application security testing (SAST) tools to test for API security vulnerabilities — something these tools do not adequately do.
UK vs. USA Results
CISOs and senior cybersecurity professionals in the US had somewhat different practices and perceptions of API security than their counterparts in the UK. In the case of real-time API security testing, the difference was pronounced: 14% of UK respondents reported testing in real time versus just 8% of those in the US.
Overall confidence in CSPs ability to handle API security also showed a discrepancy between outlooks in the US and UK. In the US, 80% of respondents were confident in their CSPs. In contrast, 61% of UK respondents had such confidence.
Vertical Market Overview
Results varied by industry, as well. As noted above, the survey covered six verticals: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities. Manufacturing reported the highest number of API security incidents (79%), followed by energy and utilities (78%).
Top API security vulnerability by vertical market:
■ Retail and eCommerce: Dormant or zombie APIs (22%)
■ Manufacturing: Dormant or zombie APIs (21%)
■ Healthcare: Authorization vulnerabilities (23%)
■ Financial services: Authorization vulnerabilities (21%)
■ Energy and utilities: Distributed denial of service (DDoS) attacks (21%)
■ Government and public sector: Web Application Firewall (WAF) compromise (20%)
Role type and comparisons
Survey respondents' views varied by role. CIOs seemed to have the best visibility into API inventories and which APIs returned sensitive data. Thirty-two percent of CIOs reported having this ability. In contrast, and perhaps a bit surprisingly, application security (AppSec) team members had the lowest levels of visibility, with 44% saying they had only a partial understanding of their API inventories and which APIs returned sensitive data.
C-level executives had the opposite experience when it came to API security incidents. Eighty-one percent of CISOs said they had experienced an incident in the last 12 months, while just 53% of AppSec team members reported one. These findings suggest that there may be a disconnect between senior leadership and operational teams.
Conclusion
Though we encourage you to read the full report on your own and come to your own conclusions, there is a key revelation in this report. That is that cybersecurity professionals are not fully grasping the seriousness of the risks they face from their APIs. While they admit they are experiencing API security incidents, they simultaneously share that they lack the kind of comprehensive awareness of their APIs that would help mitigate API security risks. They also place confidence in non-API-specific software testing tools, cloud platforms and network operators to protect their APIs, a confidence that is not warranted.
As APIs come under ever more serious attacks, the time seems to have come for these disconnects in API security to be addressed. The risks of inaction and misplaced confidence are too high to ignore.
Methodology: The API Security Disconnect: API Security Trends in 2022 is based on a survey conducted by Opinion Matters, an independent research organization, of 600 respondents from six vertical markets in the US and UK. Surveyed industries include financial services, manufacturing, healthcare, energy & utilities, government & public sector, as well as retail & eCommerce.
Industry News
Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.
GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.
Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.
Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.
Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.
NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.
IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.
StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.
GitKraken acquired code health innovator, CodeSee.
ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.
Security Innovation has added new skills assessments to its Base Camp training platform for software security training.
CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.
Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.
Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.