The proliferation of cloud applications has provided organizations with numerous opportunities and advantages in the digital landscape. However, along with these benefits, there are also potential risks that organizations must be aware of and address. A recent report by Traceable, titled “2023 State of API Security: Global Findings,” sheds light on the nature of these risks and the challenges that organizations face in mitigating them.
The report gathered insights from 1,629 respondents across more than 100 countries and six major industries. The findings are concerning, with 74% of organizations experiencing at least three API-related data breaches in the past two years. This alarming trend highlights the need for organizations to take API security seriously.
One of the key issues identified in the report is the presence of unknown risks. Despite the rise in API breaches, the study found that 40% of organizations only test a fraction of their APIs for vulnerabilities. This lack of comprehensive testing results in a low confidence level of just 26% in preventing attacks. Additionally, only 21% of API attacks are detectable and containable, indicating that many attacks go undetected and unaddressed.
The main challenge faced by organizations is the lack of awareness and understanding of the extent of API risk. Surprisingly, only 27% of organizations prioritize having a security risk profile for every API. This oversight may be attributed to management underestimating the risk (cited by 49% of respondents) and a lack of understanding of threat-reduction measures (cited by 37% of respondents).
The proliferation of APIs contributes to an expanded attack surface, as highlighted in the report. Approximately 58% of respondents agree that APIs inevitably increase the attack surface across all technology layers. This expansion of the attack surface is driven by several factors.
Firstly, the sheer volume of APIs used by organizations is considerable. With 88% of organizations utilizing over 2,500 cloud applications and managing thousands of APIs, the potential for vulnerabilities increases exponentially. Organizations not only develop their own APIs but also integrate third-party APIs to enhance their functionalities. Each integration represents a new potential attack vector that requires thorough examination.
Secondly, the diversity of API types further complicates the security landscape. Organizations rely on various APIs such as open-to-partner, third-party, and internal APIs. The risk profiles of these APIs can vary significantly. Public APIs, accessible to a broad audience, may be more susceptible to different attack vectors, while internal APIs, often perceived as secure, may be vulnerable to insider threats. The report highlights that 58% of participants agree that APIs amplify the attack surface across the entire technology stack.
The report also reveals the varied perceptions about API-related risks within the industry. While 52% of respondents recognize the importance of having a security risk profile for every API, an almost equivalent 47% consider it to be of low to moderate importance. Alarmingly, 8% view it as negligible. This discrepancy in understanding and acknowledgment of API risks poses a potential weakness in organizations’ digital armor.
The notion of unknown risk is closely tied to the expanding API landscape. With 40% of organizations only intermittently testing their APIs for vulnerabilities, many potential threats remain undetected. Only 21% of API-related attacks are detectable and containable, suggesting that a majority of attackers exploit these unknown risks. Although 27% of organizations prioritize API security profiling, a significant number may remain unaware of the hidden threats lurking within their digital frameworks.
Understanding and addressing these unknown risks require organizations to confront both tangible and intangible challenges. It is not only about identifying potential threats but also about overcoming barriers within organizations that hinder effective risk recognition and mitigation.
As the role of APIs in organizational infrastructures continues to grow, the associated unknown risks become more pronounced. The intricate interplay between the volume, diversity, and infrequency of risk evaluation presents significant vulnerabilities for organizations. Managing APIs is not just about quantity; it is about recognizing blind spots and taking proactive measures to address them.
In conclusion, the Traceable report highlights the escalating risks associated with APIs in the digital landscape. Organizations need to prioritize API security and conduct comprehensive testing to reduce the incidence of breaches. The industry as a whole must improve its understanding and awareness of API-related risks to ensure robust cybersecurity measures. Only by addressing these unknown risks can organizations achieve a more secure and resilient digital environment.