40% of Organizations Do Not Have an API Security Solution - Here's What That Means
June 27, 2023

Richard Bird
Traceable AI

The news of T-Mobile's security breach earlier this year was met with an air of inevitability in cybersecurity circles, particularly when it was revealed that an API was the culprit that exposed the sensitive data of 37 million of their customers. This event serves as a reminder of the perils that accompany the transition of many organizations towards a Cloud-first, API-first model. While this shift is undeniable, so too is the resultant API sprawl and the increased incidents of API-related cyber attacks and breaches.

A recurring narrative is emerging in today's digital landscape, characterized by organizations grappling with managing and safeguarding the growing number of APIs within their ecosystem.

Use the player or download the MP3 below to listen to Cybersecurity Awesomeness Podcast - Episode 5 — Chris Steffen and Ken Buckler from EMA discuss API Security.

Click here for a direct MP3 download of Episode 5

At the 2023 RSA Conference, a survey conducted by Traceable brought some troubling facts to the surface about how organizations are handling their API security — a theme that has become ground zero in cybersecurity circles. The survey results were unsettling, indicating that a significant 40% of respondents were operating without an API security solution. Furthermore, 29% did not know whether their organization had any measure in place to secure APIs.

These results underscore the imperative for organizations to immediately secure the full breadth of their API ecosystem. This includes understanding how many APIs they have, where those APIs reside, and what those APIs are doing.

API Security Ownership Remains Fragmented

The issue of API security ownership is fraught with fragmentation among various teams, complicating the scenario further. According to the survey, the landscape is a mix of varying perspectives, with 38% of respondents assigning ownership to the CISO, while 25% stated that development and/or DevOps were the stewards of API security. A further 24% of respondents are in the dark about who holds this responsibility.

It's crucial that we address this uncertainty. This lack of clarity can foster serious blind spots in security coverage, potentially paving the way for API-related breaches. Creating a culture of shared accountability and fostering open communication between different teams can help address these gaps.

Battling API Sprawl

A staggering 66% of the survey respondents either grapple with API sprawl or are uncertain about their organization's competence in managing it effectively. Contending with API sprawl goes beyond API Discovery; it requires a comprehensive strategy encompassing security posture management, threat protection, and threat management. Absent these key pillars, any unknown API becomes a sitting duck for cyber attacks.

Adding another layer to this challenge are the so-called "Zombie APIs." These are outdated, ostensibly disabled APIs that continue to lurk in the shadows of the application infrastructure. They present an additional and often overlooked risk, being ripe for exploitation through a range of API attacks. The consequences of such breaches can be severe, extending from account takeover to fraudulent transactions. In the absence of diligent tracking and management, these Zombie APIs can be accessed easily to harvest data, often allowing malevolent activities to fly under the radar.

Failure to Baseline API Behavior

Among those organizations with dedicated API security solutions, a concerning 25% revealed that their solutions are unable to baseline API behavior. This leaves them blind to both normal and abnormal behavior and therefore, to any anomalies potentially indicative of an API attack. Even more alarming is the fact that half of the respondents confessed their uncertainty regarding the presence of such capabilities in their API security solution.

Baselining — the process of defining what constitutes normal and abnormal API activity — is the hinge of API security. This is ideally done with an API data lake at the core of the solution. It equips organizations with a deep understanding of API context, allowing deviations — possible indicators of an attack or malicious intent — to be spotted more easily. Without this, malevolent activities of threat actors could seamlessly blend into the regular traffic, making them much harder to detect and counter.

The Time is Now

What makes APIs so dangerous is that they present the largest attack surface we have ever encountered in the industry. In the past, hackers had to find ways of bypassing existing solutions, such as WAFs, DLP, or API Gateways, in order to find data and disrupt systems. Now, they can simply exploit an API, and obtain access to sensitive data, and not even have to exploit the other solutions in the security stack.

This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy.

Correcting some of the common challenges above begins with designating API security responsibility to a specific person or group. Rather than choosing between security and DevOps teams, many organizations are creating integrated DevSecOps teams to cater to their API security needs due to shared initiatives. No matter which group(s) your organization selects to own API security, make sure everyone involved is fully aware of their responsibilities and expectations.

Breaches of unmonitored, unsecured APIs can also be prevented with a complete API security solution — one that includes security posture management, threat protection and threat management, across the entire software development lifecycle. Once the solutions and responsibilities are in place, organizations should consider a Zero Trust approach to API access. This can actively reduce the attack surface by minimizing or eliminating implied and persistent trust for APIs.

At the end of the day, successful cybersecurity is not about reacting to threats, but proactively mitigating them. Ensuring robust API security is an essential component of this proactive approach.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.