Understanding the API Security Disconnect
October 31, 2022

Shay Levi
Noname Security

We recently published The API Security Disconnect: API Security Trends in 2022, which reveals some striking disconnects between the respondents' experiences with API security incidents, their lack of awareness of their own APIs, and their confidence in cloud service providers and others to provide API security.

The findings are more relevant today than ever given how APIs form the foundation of digital transformation. APIs enable critical connections between applications, platforms, and services. However, APIs also represent a significant and growing attack surface that is increasingly being exploited by cybercriminals. As the report suggests, APIs are vulnerable, and not enough is being done to protect them —a long with the potentially sensitive data they distribute.

Key Findings

The research showed that API security incidents are commonplace. Seventy-six percent of survey respondents experienced an API security incident in the previous 12 months. And these are incidents that they are aware of — the actual number is likely higher. The most common API security gaps identified in the survey were dormant or zombie APIs (19%), followed by authorization vulnerabilities (18%), and issues with Web Application Firewalls (17%).

Another alarming finding from the survey was that security managers lack visibility into their API inventories. Almost three in four survey respondents neither maintain a full API inventory nor know which of their APIs return sensitive data. Most are relying on network infrastructure providers, which honestly don't provide the required level of visibility for APIs. Just 47% of respondents who use such providers say they have visibility into their active APIs. Only 26% of respondents who use network infrastructure providers say they have visibility into zombie APIs, while 59% said the provider offered visibility into dormant APIs. This lack of awareness translates into API security risk because an invisible API is one that can be compromised without anyone being aware of the problem until it is too late to remediate.

The survey also uncovered that API security testing is not always timely. This is surprising given the prevalence of API security incidents and the high speed at which an API exploit can execute. Just 11% of respondents test APIs in real time.

22% of respondents said they only test APIs a minimum of once a week, while 28% test once a day and 39% are testing less than once a day but up to once per week.

71% of respondents say they are confident in the API security provided by their cloud service provider (CSP). This is startling considering 76% of respondents lack a full API inventory, and 74% experienced an API security incident in the last 12 months. This confidence would appear to be misplaced when viewed in the context of their actual API security experiences.

Further to this point, 67% of respondents expressed high levels of confidence in their traditional dynamic application security testing (DAST) and static application security testing (SAST) tools to test for API security vulnerabilities — something these tools do not adequately do.

UK vs. USA Results

CISOs and senior cybersecurity professionals in the US had somewhat different practices and perceptions of API security than their counterparts in the UK. In the case of real-time API security testing, the difference was pronounced: 14% of UK respondents reported testing in real time versus just 8% of those in the US.

Overall confidence in CSPs ability to handle API security also showed a discrepancy between outlooks in the US and UK. In the US, 80% of respondents were confident in their CSPs. In contrast, 61% of UK respondents had such confidence.

Vertical Market Overview

Results varied by industry, as well. As noted above, the survey covered six verticals: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities. Manufacturing reported the highest number of API security incidents (79%), followed by energy and utilities (78%).

Top API security vulnerability by vertical market:

■ Retail and eCommerce: Dormant or zombie APIs (22%)

■ Manufacturing: Dormant or zombie APIs (21%)

■ Healthcare: Authorization vulnerabilities (23%)

■ Financial services: Authorization vulnerabilities (21%)

■ Energy and utilities: Distributed denial of service (DDoS) attacks (21%)

■ Government and public sector: Web Application Firewall (WAF) compromise (20%)

Role type and comparisons

Survey respondents' views varied by role. CIOs seemed to have the best visibility into API inventories and which APIs returned sensitive data. Thirty-two percent of CIOs reported having this ability. In contrast, and perhaps a bit surprisingly, application security (AppSec) team members had the lowest levels of visibility, with 44% saying they had only a partial understanding of their API inventories and which APIs returned sensitive data.

C-level executives had the opposite experience when it came to API security incidents. Eighty-one percent of CISOs said they had experienced an incident in the last 12 months, while just 53% of AppSec team members reported one. These findings suggest that there may be a disconnect between senior leadership and operational teams.

Conclusion

Though we encourage you to read the full report on your own and come to your own conclusions, there is a key revelation in this report. That is that cybersecurity professionals are not fully grasping the seriousness of the risks they face from their APIs. While they admit they are experiencing API security incidents, they simultaneously share that they lack the kind of comprehensive awareness of their APIs that would help mitigate API security risks. They also place confidence in non-API-specific software testing tools, cloud platforms and network operators to protect their APIs, a confidence that is not warranted.

As APIs come under ever more serious attacks, the time seems to have come for these disconnects in API security to be addressed. The risks of inaction and misplaced confidence are too high to ignore.

Methodology: The API Security Disconnect: API Security Trends in 2022 is based on a survey conducted by Opinion Matters, an independent research organization, of 600 respondents from six vertical markets in the US and UK. Surveyed industries include financial services, manufacturing, healthcare, energy & utilities, government & public sector, as well as retail & eCommerce.

Shay Levi is CTO and Co-Founder of Noname Security
Share this

Industry News

February 18, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Check Point CloudGuard solution has been recognized as a Leader across three key GigaOm Radar reports: Application & API Security, Cloud Network Security, and Cloud Workload Security.

February 13, 2025

LaunchDarkly announced the private preview of Warehouse Native Experimentation, its Snowflake Native App, to offer Data Warehouse Native Experimentation.

February 13, 2025

SingleStore announced the launch of SingleStore Flow, a no-code solution designed to greatly simplify data migration and Change Data Capture (CDC).

February 13, 2025

ActiveState launched its Vulnerability Management as a Service (VMaas) offering to help organizations manage open source and accelerate secure software delivery.

February 12, 2025

Genkit for Node.js is now at version 1.0 and ready for production use.

February 12, 2025

JFrog signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS).

February 12, 2025

mabl launched of two new innovations, mabl Tools for Playwright and mabl GenAI Test Creation, expanding testing capabilities beyond the bounds of traditional QA teams.

February 11, 2025

Check Point® Software Technologies Ltd.(link is external) announced a strategic partnership with leading cloud security provider Wiz to address the growing challenges enterprises face securing hybrid cloud environments.

February 11, 2025

Jitterbit announced its latest AI-infused capabilities within the Harmony platform, advancing AI from low-code development to natural language processing (NLP).

February 11, 2025

Rancher Government Solutions (RGS) and Sequoia Holdings announced a strategic partnership to enhance software supply chain security, classified workload deployments, and Kubernetes management for the Department of Defense (DOD), Intelligence Community (IC), and federal civilian agencies.

February 10, 2025

Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.

February 10, 2025

Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.

February 06, 2025

GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.

February 06, 2025

Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.

February 06, 2025

Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.