40% of Organizations Do Not Have an API Security Solution - Here's What That Means
June 27, 2023

Richard Bird
Traceable AI

The news of T-Mobile's security breach earlier this year was met with an air of inevitability in cybersecurity circles, particularly when it was revealed that an API was the culprit that exposed the sensitive data of 37 million of their customers. This event serves as a reminder of the perils that accompany the transition of many organizations towards a Cloud-first, API-first model. While this shift is undeniable, so too is the resultant API sprawl and the increased incidents of API-related cyber attacks and breaches.

A recurring narrative is emerging in today's digital landscape, characterized by organizations grappling with managing and safeguarding the growing number of APIs within their ecosystem.

Use the player or download the MP3 below to listen to Cybersecurity Awesomeness Podcast - Episode 5 — Chris Steffen and Ken Buckler from EMA discuss API Security.

Click here for a direct MP3 download of Episode 5

At the 2023 RSA Conference, a survey conducted by Traceable brought some troubling facts to the surface about how organizations are handling their API security — a theme that has become ground zero in cybersecurity circles. The survey results were unsettling, indicating that a significant 40% of respondents were operating without an API security solution. Furthermore, 29% did not know whether their organization had any measure in place to secure APIs.

These results underscore the imperative for organizations to immediately secure the full breadth of their API ecosystem. This includes understanding how many APIs they have, where those APIs reside, and what those APIs are doing.

API Security Ownership Remains Fragmented

The issue of API security ownership is fraught with fragmentation among various teams, complicating the scenario further. According to the survey, the landscape is a mix of varying perspectives, with 38% of respondents assigning ownership to the CISO, while 25% stated that development and/or DevOps were the stewards of API security. A further 24% of respondents are in the dark about who holds this responsibility.

It's crucial that we address this uncertainty. This lack of clarity can foster serious blind spots in security coverage, potentially paving the way for API-related breaches. Creating a culture of shared accountability and fostering open communication between different teams can help address these gaps.

Battling API Sprawl

A staggering 66% of the survey respondents either grapple with API sprawl or are uncertain about their organization's competence in managing it effectively. Contending with API sprawl goes beyond API Discovery; it requires a comprehensive strategy encompassing security posture management, threat protection, and threat management. Absent these key pillars, any unknown API becomes a sitting duck for cyber attacks.

Adding another layer to this challenge are the so-called "Zombie APIs." These are outdated, ostensibly disabled APIs that continue to lurk in the shadows of the application infrastructure. They present an additional and often overlooked risk, being ripe for exploitation through a range of API attacks. The consequences of such breaches can be severe, extending from account takeover to fraudulent transactions. In the absence of diligent tracking and management, these Zombie APIs can be accessed easily to harvest data, often allowing malevolent activities to fly under the radar.

Failure to Baseline API Behavior

Among those organizations with dedicated API security solutions, a concerning 25% revealed that their solutions are unable to baseline API behavior. This leaves them blind to both normal and abnormal behavior and therefore, to any anomalies potentially indicative of an API attack. Even more alarming is the fact that half of the respondents confessed their uncertainty regarding the presence of such capabilities in their API security solution.

Baselining — the process of defining what constitutes normal and abnormal API activity — is the hinge of API security. This is ideally done with an API data lake at the core of the solution. It equips organizations with a deep understanding of API context, allowing deviations — possible indicators of an attack or malicious intent — to be spotted more easily. Without this, malevolent activities of threat actors could seamlessly blend into the regular traffic, making them much harder to detect and counter.

The Time is Now

What makes APIs so dangerous is that they present the largest attack surface we have ever encountered in the industry. In the past, hackers had to find ways of bypassing existing solutions, such as WAFs, DLP, or API Gateways, in order to find data and disrupt systems. Now, they can simply exploit an API, and obtain access to sensitive data, and not even have to exploit the other solutions in the security stack.

This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy.

Correcting some of the common challenges above begins with designating API security responsibility to a specific person or group. Rather than choosing between security and DevOps teams, many organizations are creating integrated DevSecOps teams to cater to their API security needs due to shared initiatives. No matter which group(s) your organization selects to own API security, make sure everyone involved is fully aware of their responsibilities and expectations.

Breaches of unmonitored, unsecured APIs can also be prevented with a complete API security solution — one that includes security posture management, threat protection and threat management, across the entire software development lifecycle. Once the solutions and responsibilities are in place, organizations should consider a Zero Trust approach to API access. This can actively reduce the attack surface by minimizing or eliminating implied and persistent trust for APIs.

At the end of the day, successful cybersecurity is not about reacting to threats, but proactively mitigating them. Ensuring robust API security is an essential component of this proactive approach.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

January 30, 2025

OutSystems announced the general availability (GA) of Mentor on OutSystems Developer Cloud (ODC).

January 30, 2025

Kurrent announced availability of public internet access on its managed service, Kurrent Cloud, streamlining the connectivity process and empowering developers with ease of use.

January 29, 2025

MacStadium highlighted its major enterprise partnerships and technical innovations over the past year. This momentum underscores MacStadium’s commitment to innovation, customer success and leadership in the Apple enterprise ecosystem as the company prepares for continued expansion in the coming months.

January 29, 2025

Traefik Labs announced the integration of its Traefik Proxy with the Nutanix Kubernetes Platform® (NKP) solution.

January 28, 2025

Perforce Software announced the launch of AI Validation, a new capability within its Perfecto continuous testing platform for web and mobile applications.

January 28, 2025

Mirantis announced the launch of Rockoon, an open-source project that simplifies OpenStack management on Kubernetes.

January 28, 2025

Endor Labs announced a new feature, AI Model Discovery, enabling organizations to discover the AI models already in use across their applications, and to set and enforce security policies over which models are permitted.

January 27, 2025

Qt Group is launching Qt AI Assistant, an experimental tool for streamlining cross-platform user interface (UI) development.

January 27, 2025

Sonatype announced its integration with Buy with AWS, a new feature now available through AWS Marketplace.

January 27, 2025

Endor Labs, Aikido Security, Arnica, Amplify, Kodem, Legit, Mobb and Orca Security have launched Opengrep to ensure static code analysis remains truly open, accessible and innovative for everyone:

January 23, 2025

Progress announced the launch of Progress Data Cloud, a managed Data Platform as a Service designed to simplify enterprise data and artificial intelligence (AI) operations in the cloud.

January 23, 2025

Sonar announced the release of its latest Long-Term Active (LTA) version, SonarQube Server 2025 Release 1 (2025.1).

January 23, 2025

Idera announced the launch of Sembi, a multi-brand entity created to unify its premier software quality and security solutions under a single umbrella.

January 22, 2025

Postman announced the Postman AI Agent Builder, a suite empowering developers to quickly design, test, and deploy intelligent agents by combining LLMs, APIs, and workflows into a unified solution.

January 22, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of CubeFS.