The Battle of Securing APIs: 2023 State of API Security At-A-Glance
November 06, 2023

Richard Bird
Traceable AI

In the battle to secure APIs, many organizations are losing. The reason being that many organizations don't know the extent of API risk. From complacency in creating comprehensive security risk profiles for APIs, failing to pinpoint API endpoints managing sensitive data without adequate authentication, and deferring finding a consensus on who should own the responsibility of API security, organizations are coming up short.


Traceable AI partnered with the Ponemon Institute to conduct a survey of over 1,600 cybersecurity professionals across the US, UK and EU, titled The 2023 State of API Security: A Global Study on the Reality of API Risk. Here's what we learned:

Persistent and Escalating API Breaches and Challenges Lead to Harsh Consequences

Unfortunately, API-related breaches are alarmingly common. The majority of organizations surveyed (60%) have fallen victim to API-related incidents within the past two years, and out of those, 74% suffered from three or more breaches. Worse, 23% endured over six breaches. These findings suggest a consistent security gap.

The consequences of API data breaches are brutal. Financial loss and loss of intellectual property (IP) were the most severe experienced by 52% of the affected organizations. Brand value erosion was also reported by 50% of respondents.

And the risks are only expected to worsen. 61% of respondents anticipate that API risks will increase over the next 12 to 24 months.

While maintaining an accurate API inventory and prioritizing APIs for remediation emerged as considerable hurdles, one of the biggest challenges proves to be API sprawl.

Nearly half of the respondents (48%) highlight preventing API sprawl as a top issue. API sprawl is when many APIs of different types are spread over many locations and managed by different teams. The result is zombie APIs, which remain in the shadows, unused, and vulnerable to attacks.

Who Owns API Security?

A huge contributor to the problem of API sprawl and growing API breaches is the lack of consensus on where the responsibility for API security should ideally reside. When asked this question, roles like CISO/CSO, CIO/CTO, and the Head of Quality Assurance were all within a few percentage points of each other.

In addition, only 43% of organizations have policies and procedures in place to manage and oversee the use of APIs, and only 44% of respondents say their organizations are highly effective in ensuring APIs are consistent across an organization.

On one hand, this could be a sign of the nature of API security, which necessitates collaboration across departments. On the other hand, it might point to a lack of clarity or potential silos within organizations, leading to possible inefficiencies or overlaps in efforts.

So How Do We Solve It? Embrace Zero Trust

A zero-trust architecture aims to move defenses from static, network-based perimeters to users, assets and resources. Traditional perimeter-based solutions such as WAFs, WAAP, VPNs, next-gen firewalls and network access control (NAC) products are ineffective at securing the expanding API attack surface. Zero Trust segments access and limits user permissions to specific applications and services and assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

40% of organizations have adopted a Zero Trust framework and of these respondents, 55% say their Zero Trust strategy includes API security.

The maturity of most organizations' Zero Trust strategy is at the early adoption or middle adoption stages with early adopters at 27% and middle stage adopters at 32%.

What the Future Holds

APIs, once seen as mere tools of interconnectivity, have clearly established their centrality in the modern digital ecosystem. This extensive survey not only sheds light on their current significance but also underscores their escalating role in the future.

From the data, we can conclude that API security is not an optional or secondary consideration. It's a necessity, a lifeline. Organizations have come to recognize that APIs, while being enablers of digital transformation, are also potential entry points for compromise.

There's hope in the statistics: the embrace of Zero Trust security strategies, with a particular focus on APIs, is a step in the right direction. Moreover, the acknowledgment that APIs broaden the attack surface reaffirms their criticality. With a prevailing sentiment that API risks will surge in the future, the imperative to bolster security measures becomes even more pronounced.

As we gaze into the future of API security, two things are clear: the increasing integration of APIs will bring both promise and challenges. API security will not only be an operational requirement but a cornerstone of enterprise strategy.

Richard Bird is Chief Security Officer at Traceable AI
Share this

Industry News

March 05, 2025

MacStadium(link is external) announced the extended availability of Orka(link is external) Cluster 3.2, establishing the market’s first enterprise-grade macOS virtualization solution available across multiple deployment options.

March 05, 2025

JFrog is partnering with Hugging Face, host of a repository of public machine learning (ML) models — the Hugging Face Hub — designed to achieve more robust security scans and analysis forevery ML model in their library.

March 05, 2025

Copado launched DevOps Automation Agent on Salesforce's AgentExchange, a global ecosystem marketplace powered by AppExchange for leading partners building new third-party agents and agent actions for Agentforce.

March 05, 2025

Harness completed its merger with Traceable, effective March 4, 2025.

March 04, 2025

JFrog released JFrog ML, an MLOps solution as part of the JFrog Platform designed to enable development teams, data scientists and ML engineers to quickly develop and deploy enterprise-ready AI applications at scale.

March 04, 2025

Progress announced the addition of Web Application Firewall (WAF) functionality to Progress® MOVEit® Cloud managed file transfer (MFT) solution.

March 04, 2025

Couchbase launched Couchbase Edge Server, an offline-first, lightweight database server and sync solution designed to provide low latency data access, consolidation, storage and processing for applications in resource-constrained edge environments.

March 04, 2025

Sonatype announced end-to-end AI Software Composition Analysis (AI SCA) capabilities that enable enterprises to harness the full potential of AI.

March 03, 2025

Aviatrix® announced the launch of the Aviatrix Kubernetes Firewall.

March 03, 2025

ScaleOps announced the general availability of their Pod Placement feature, a solution that helps companies manage Kubernetes infrastructure.

March 03, 2025

Cloudsmith raised a $23 million Series B funding round led by TCV, with participation from Insight Partners and existing investors.

February 27, 2025

IBM has completed its acquisition of HashiCorp, whose products automate and secure the infrastructure that underpins hybrid cloud applications and generative AI.

February 27, 2025

Veeam® Software announces Veeam Kasten for Kubernetes v7.5, designed to deliver Kubernetes-native data resilience for enterprises.

February 27, 2025

DeepSource released Globstar, an open-source project bringing code security tooling to the AppSec community, with no restrictions on commercial usage.

February 26, 2025

Google Cloud announced the public preview of Gemini Code Assist for individuals, a free version of Gemini Code Assist that will give students an easy-to-use free AI coding assistant with the highest usage limits available