Recent research by Noname Security shows that many organizations say they understand that they need to properly protect APIs. In practice, however, these organizations still do not seem to do so, the same research shows. A fundamental lack of knowledge seems to be the cause of this.
Virtually all modern environments use APIs to connect their various components. About 80 percent of all Internet traffic passes through an API at some point. Add to that the fact that with an API you establish a direct connection to systems and data, and it is clear that APIs are a favorite target for attackers to abuse. APIs are the getaway car in attacks because they are “an excellent vehicle for data exfiltration,” Noname Security CMO Mike O’Malley points out in conversation with us. You can steal information from a company virtually undetected via this route. Not just a single piece of information, but a lot at once.
With the above in mind, the findings reported by Noname Security in the API Security Disconnect 2023 report are not hopeful. That is, things don’t seem to be moving in the right direction yet in the fight against API security threats. While many organizations claim to have API security high on their list of priorities, in practice they don’t do much about it. 94 percent of respondents to the survey say they have tools to protect APIs, but 78 percent have experienced an API-related security incident in the 12 months prior to participating in the survey. In other words, something isn’t quite right. What exactly? We discuss that with O’Malley.
Lack of knowledge about API security
The above figures indicate that there is a big discrepancy between what organizations think API security is and what it takes in practice to get it right. In itself, this is not surprising, as API security is a relatively young discipline. At this still relatively early stage, there is simply still a lot of ambiguity. In addition, it is not surprising that organizations somewhat overestimate themselves when they have to answer questions in a survey. In fact, we see that all the time. Nobody likes to admit that something is not going well, even when anonymously filling out a questionnaire. Obviously, a lack of knowledge does not help either.
O’Malley certainly notices a lack of knowledge in the market. You can also see that from the survey, according to him. Indeed, it seems that many respondents talk about a Web Application Firewall (WAF) or Application Gateways as tools with which to secure APIs. However, that is a misconception. These cannot dig deep enough and do not provide context. We have talked about this at length in previous articles on API security as well.
Organizations in general still rely very heavily on the API Gateway. Organizations generally use the information from the API Gateway for determining the inventory of APIs as well. That in itself is a good starting point and gives an overview of the number of APIs in an organization. However, information from an API Gateway does not give you precise insight into which APIs are connecting to sensitive data, such as PII data. Again, context matters. Context that API Gateways generally cannot provide.
Growing pains are part of maturing
All in all, API security as a discipline faces growing pains. However, it is moving in the right direction, according to O’Malley. At least that’s one conclusion one can draw from the survey. Respondents this year indicated that the primary attack vectors are WAFs, firewalls and API Gateways. Last year, Zombie APIs topped this list. According to him, this indicates that there is more awareness about the limitations of those tools, even if this awareness still does not lead to actually setting up API security properly.
O’Malley expects another step forward by next year’s survey. “We will go from not knowing where the APIs are [last year, ed.], through the realization that WAF and API Gateways are not enough [this year, ed.], to real attack vectors next year,” he summarizes. These include the OWASP Top 10 API security threats. If that is the case, API security as a discipline can be considered to be mature. By this we do not mean to suggest that the platform of a company such as Noname Security currently isn’t mature. We are mainly referring to the perception in the market.
Also read: OWASP lists the 10 biggest API dangers, help is on the way
APIs must be secured by default
API security is still sometimes dismissed here and there as some kind of hype. We also notice this when we ask other (security) vendors about this. The gist of this is usually that API security should not be a separate tool. It should more or less be a guarantee from all solutions and platforms that use APIs that they are also secure. For example, we have already heard from several low-code development platforms that API security plays no role there, because it is impossible to include an insecure API in the process without it being discovered before an application goes live. We have also heard similar stories from other corners of the market.
We cannot verify the above claims, although there are obviously checks in other tools on the quality and basic security of APIs. However, it isn’t clear whether those checks go far enough. If an API looks secure and good on the outside and thus passes basic screening, the information passing back and forth may still have been tampered with.
Furthermore, not only is each API unique – which makes it difficult to protect them generically – they are also quite dynamic. That is, developers modify them regularly. With this, it is not inconceivable that vulnerabilities could be added. However, testing these APIs is not done on a daily basis. “This is also due to the fact that many organizations do not know that API testing is possible,” O’Malley gives a major reason for this mismatch. This is yet another sign that API Security has still not penetrated far enough within organizations.
TIP: Noname Security introduces tool to leave no API untested
API security is becoming more mainstream
By the way, we do agree that API security should be part of solutions and platforms. However, we are not there yet. O’Malley sees some encouraging developments in this regard, however. “Companies like Cisco and F5 Networks want to build API security into their products, which indicates that there really is a market for it,” he indicates. He goes on to point out the partnerships Noname Security has with Intel and IBM, among others. These also ensure that API security becomes part of a bigger picture. That’s a good development. Finally, within the API landscape, there is also a partnership with Mulesoft.
All in all, the API security market of late 2023/early 2024 is a totally different market than the one we described a few years ago. It is much more mature now. Awareness within organizations seems to be moving in the right direction. However, there are still challenges in execution within these organizations. That in itself is not strange and actually always the case with new developments. That is the disconnect to which the API Security Disconnect report refers.
However, there is a chance that Noname will have to rename this report within a few years. At least that is what the movements in the market – which we discussed in this article – suggest. In addition to the awareness that something needs to be done with API security, organizations are also increasingly realize that existing tools cannot do it. Right now, many organizations still lack knowledge on the subject. However, this is changing. How fast this will change is hard to predict. If it is up to Noname Security, it will be very quickly. Especially with the help of partnerships and other major players in the market that are putting more emphasis on it, the velocity of the API security snowball will increase even more.
For completeness, here is the report (after filling in data) from which we discuss some of the outcomes in this article.
19 hours ago
