Noname Security has announced the findings from its API security report, “The API Security Disconnect – API Security Trends in 2022”. The report reveals a rapidly growing number of API security incidents, concerning lack of API visibility, and a level of misplaced confidence in existing controls.
Noname Security commissioned independent research organisation, Opinion Matters, to undertake the survey in July 2022. 600 senior cybersecurity professionals in the UK and USA were surveyed from across a variety of enterprise organisations in six key vertical market sectors: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities.
Over three quarters (76%) of respondents have suffered an API security incident in the last 12 months, with these incidents primarily caused by Dormant/Zombie APIs, Authorisation Vulnerabilities, and Web Application Firewalls.
Furthermore, nearly three quarters (74%) of cybersecurity professionals do not have a full API inventory, or know which APIs return sensitive data. Noname says this implies that the majority of respondents will struggle to remediate against any API security threats, and not know which to prioritiz]se, if they do not have real-time granular visibility into the APIs in their ecosystems.
Shay Levi, Noname Security CTO and co-founder, comments: “Our research has exposed a disconnect between the high level of incidents, low levels of visibility, effective monitoring and testing of the API environment, and misplaced confidence that current tools are preventing attacks. This emphasizes the need for further education by Security, AppSec, and development teams around the realities of API security testing.”
Other key findings include:
- 71% were confident and satisfied that they were receiving sufficient API protection.
- Less than half (48%) of respondents have visibility into the security posture of Active APIs.
- Only 11% of respondents test APIs for signs of abuse in real-time.
- 39% test less than once per day, and up to once per week
- 67% of respondents are confident that their DAST and SAST tools are capable of testing APIs.
Legacy-based sectors struggle to keep pace with API security testing
Critical infrastructure sectors such as manufacturing and energy and utilities, which typically rely on legacy systems, ranked unfavourably when measured on a number of metrics. They ranked worst on the percentage of API security incidents in the last 12 months, with 79% of manufacturing and 78% of energy and utilities respondents saying they had experienced incidents, of which they were aware.
Energy and utilities companies were also the least likely to have a full inventory of APIs and know which return sensitive data, with just 19% confident about this issue. Manufacturing organizations found it most difficult to scale API security solutions, with just 30% saying they found it easy. Furthermore, real-time testing was at its lowest in energy & utilities (7%), whilst manufacturing, and energy & utilities were most likely to conduct API security testing less frequently than once per month, with 20% and 21% doing this, respectively.
The relative lack of testing in these critical infrastructure sectors correlates with the number of API security incidents they have suffered in the last 12 months, says Noname. This emphasizes the need for standards to be raised in sectors where personal identifiable information, and intellectual property can potentially be seized by bad actors, let alone where physical infrastructure and vital services are at risk.
UK and USA differ over API visibility and reporting
There were a number of differences towards monitoring and visibility of APIs between the two countries surveyed, especially when it comes to reporting in real-time. More UK respondents (28%) have full API inventories, and know which return sensitive data, compared to the USA (24%).
Furthermore, an increased number of respondents in the USA (44%) had visibility into their full inventory of APIs, but were not aware of those returning sensitive data, compared to 38% in the UK. Noname says this could suggest that USA organisations are more concerned with API-driven growth than securing existing APIs.
Disparity in API security approach across job roles
Responses from Application Security (AppSec) teams appear to differ considerably from other job functions surveyed. Compared to 81% of CISOs saying they have experienced an API security incident, only 53% of AppSec professionals said they had. Additionally, 58% of CIOs said it was easy to scale API security solutions, while nearly a third (29%) of AppSec respondents admitted this was difficult.
In terms of testing, only 7% of AppSec professionals tested in real-time for signs of abuse, while 25% stated that they test for API security vulnerabilities less than once a week, and up to once per month.
“The ongoing prioritisation of digital transformation initiatives is introducing an increased number of applications, and therefore APIs, into organisations’ ecosystems,” adds Levi. “The perceived gaps around API security testing between different job functions begs the question as to whether there is a lack of consistency across organizations of what is happening on the frontline. This needs to be addressed urgently; application development needs to adopt a ‘shift left’ approach to security testing, so that testing is undertaken pre-production and teams need to be educated around the benefits of doing this.
“We’ve seen from the likes of Gartner that APIs are quickly becoming the most popular attack vector. Our research demonstrates that if businesses don’t address the security vulnerabilities and widening attack surface presented by an increasing number of APIs, their ability to innovate and offer end-user-friendly solutions will be stifled by potentially debilitating cyber-attacks,” he concludes.
Read the full report here.