Research by API security company Traceable and Ponemon Institute shows that API security is not yet getting the attention it deserves. While threats are only increasing, organizations aren’t getting their APIs tested for vulnerabilities nearly enough.
Traceable warns of the inherent potential threat that comes with API use. They significantly increase the attack surface for cybercrime, in part because in many cases they control the traffic between critical services and sensitive data.
1,600 cybersecurity professionals worldwide participated in the survey. Within the EMEA region (Europe, Africa and the Middle East), there were 938 participants. There, 59 percent admitted that APIs are critical to their organization’s digital initiatives. Not too surprising, considering an enterprise company has more than 10,000 of them running between all cloud environments, on-prem and external-facing services. The organizations that participated in the survey maintain an average of 1,044 APIs.
Despite the widespread use, 43 percent admitted that API security is not a priority to them. With the current shortage of security expertise, hard choices must sometimes be made, it appears. As a result, APIs appear to be a cost-cutting casualty. In many cases, organizations don’t even know how much data goes back and forth between the corporate network and external sources via APIs. Thus, detecting data exfiltration becomes virtually impossible.
Many data breaches
60 percent of professionals surveyed have experienced at least one API attack. However, it is often difficult to recognize this danger at all: a threat actor can come across as an ordinary user and make unwanted requests that are difficult to detect. Those who don’t check for vulnerabilities anyway are flying blind in this regard. However, only 39 percent of APIs in use are regularly tested. As a result, organizations believe they can prevent only 26 percent of all attacks and detect and contain 20 percent of them.
These attacks do tend to be relatively predictable or simplistic in many cases: DDoS (38 percent) and attacks with known signatures (30 percent) top the list. However, this does indicate that malicious actors apparently consider fairly simple tactics sufficient. The consequences do not lie: companies that fell victim to an API attack saw the value of their brand name damaged (52 percent), incurred financial losses (51 percent) or were robbed of intellectual property (50 percent).
The full report can be accessed here.