A recent report by Traceable AI and Ponemon Institute has highlighted the growing API security crisis due to a lack of prioritization and understanding. APIs, which are essential for many operational processes, have become increasingly vulnerable to breaches and attacks.
According to the report, within the last two years, 60% of organizations have faced at least one API-related breach. Shockingly, 74% of these organizations have experienced three or more incidents, indicating a relentless threat landscape. Even more concerning is the fact that 23% of organizations have endured six or more breaches.
One of the primary methods of API breaches is through Distributed Denial-of-Service (DDoS) attacks, accounting for 38% of incidents. This is a significant cause for concern, considering that 58% of respondents agree that APIs substantially expand an organization’s attack surface. It demonstrates the urgent need to address API security and its vulnerabilities.
The report also reveals that only 38% of organizations are capable of distinguishing intricate contexts between API activity, user behaviors, and data flow. Furthermore, 57% of respondents feel that traditional security solutions, including web application firewalls, are ineffective in differentiating genuine from fraudulent API activity. This lack of capability poses a significant challenge in dealing with API-related risks.
Looking ahead, 61% of respondents anticipate a rise in API-related risks within the next two years. This is compounded by other challenges organizations face, such as API sprawl (48%) and keeping an accurate inventory (39%). Managing external threats from an average of 127 third-party API connections is particularly challenging, with only 33% expressing confidence in their ability to do so. Additionally, uncertainties regarding the volume of data transmitted through APIs further highlight the need for advanced breach detection solutions.
Startlingly, despite acknowledging the importance of APIs to their organization’s digital transformation (59% of respondents), 43% admitted to not prioritizing API security. This lack of prioritization is reflected in the fact that only 39% of APIs are continually tested for vulnerabilities. Consequently, organizations are only confident in preventing an average of 26% of attacks, and only 20% of API attacks can be effectively detected and contained.
Richard Bird, the Chief Security Officer (CSO) of Traceable, expressed concern over the lack of attention given to API security. Bird emphasized the need for API security to be elevated from the server room to the boardroom, urging the security community to prioritize it as a cornerstone of their cyber defense strategy. By doing so, organizations can hope to stay ahead of the evolving threat landscape.
In conclusion, the report highlights the urgent need to address API security concerns. The increasing number of API-related breaches and the inability of traditional security solutions to effectively differentiate fraudulent activity demonstrate the growing crisis. To mitigate risks and protect organizations’ digital ecosystems, API security must be given the attention it deserves and be considered a vital aspect of overall cyber defense strategies.