Written by Shay Levi, CTO and co-founder, Noname Security
API security breaches are increasing, even as many organisations express confidence in their security strategies. Is there a disconnect between perception and reality?
APIs are the connective tissue linking applications and services in the modern enterprises that fuel today’s digital economy. But unfortunately, APIs are a lucrative target for attackers and our latest API Security report reveals these connections may be more vulnerable than companies realise.
We surveyed over 600 cybersecurity professionals and uncovered a troubling disconnect: 78% said they suffered an API security breach in the last 12 months, yet 94% expressed confidence in their security tools. This gap between perception and reality persists from our previous annual survey, indicating an ongoing lack of awareness of API security threats. As businesses rely on APIs more than ever, it’s essential to properly gauge risks and implement robust protections.
Key trends in API security
Our report highlights that API security-related breaches are rising, up from 76% in our 2022 report to 78% in 2023. This indicates a rising trend in API security attacks, despite high confidence levels. In 2023, the top attack vectors have shifted from dormant APIs and authorisation issues to Web Application Firewalls, network firewalls, and API gateways. So, while attack methods are continuously evolving, it would appear that security strategies are not keeping pace.
Perhaps more concerning, our findings show that 72% of organisations claim to have full API inventories but only 40% know which APIs handle sensitive data. In my own analysis of hundreds of companies’ API landscapes, I’ve seen that frequently organisations are flying blind and lack visibility into their inventories. Incomplete API inventories can lead to massive gaps in an organisation’s API security strategy. Security teams also need API inventory so that they can have a realistic view of their attack surface and risk posture to help prioritise the wide range of API security activities that must be accounted for.
On a more positive note, the report revealed that 55% of organisations now perform real-time or daily API security testing, which is an increase from 39% in 2022, but this still falls short of matching the frequency of API security attacks. Over half of the organisations surveyed cited lost customer goodwill and churn of customer accounts after API security incidents. The financial and reputational damages resulting from these incidents can be catastrophic.
A lack of cohesion, leading to potential blind spots
One of the most significant disconnects highlighted in our report is across roles within organisations. While 84% of CTOs reported API security breaches, only 48% of application security specialists directly managing APIs acknowledged such breaches. Web application firewalls were identified as the top attack vector for AppSec teams, while others pointed to a mix of vectors including network firewalls and API gateways.
Interestingly, only 84% of AppSec professionals expressed confidence in their security tools compared to 95% of those in other roles. These mixed signals indicate a lack of cohesion and potential blind spots across security teams.
The ongoing rise in API security breaches over the past few years makes it clear this is not just a passing fad, but a serious issue that demands urgent attention. Our repeated survey findings demonstrate a consistent pattern of escalating API security attacks, rather than this being an anomaly or temporary spike.
The API threat landscape is intensifying
This data shows that the API threat landscape is only intensifying with time, as more hackers recognise the value of targeting these vulnerabilities. APIs now provide an extremely attractive vector for data theft, service disruption, and other cybercrimes.
Ignoring or downplaying these risks is no longer viable given the empirical evidence. Organisations must accept that API security threats are a pressing reality that can severely impact operations and reputation. Proactive mitigation of API security vulnerabilities needs to become an immediate priority across industries.
Companies can’t afford to be complacent or slow to respond as API attacks proliferate. The time to implement robust API security measures is now, before incidents spiral out of control. Prioritising this area and dedicating appropriate resources is imperative. APIs represent a clear and growing danger facing all enterprises in today’s digital ecosystem.
A complex picture of API security
Our report paints a complex picture of API security. Breaches are demonstrably increasing, underlining APIs’ importance as attack vectors. But confidence and readiness don’t align with mounting threats. Patchwork visibility and testing approaches leave major gaps. And differing perceptions across functions suggest a lack of holistic understanding and strategy.
API security can’t be an afterthought given the role of APIs in connecting vital systems and data. Companies must approach protection proactively, not reactively. That requires complete visibility and scanning of the entire API inventory along with robust monitoring and testing. Rapid development and deployment of APIs also demand that developers fix issues earlier in the process, before going live.
Organisations should implement centralised API security centres to unify insights across teams. API security tooling should be able to offer a range of capabilities throughout the lifecycle and provide the necessary context to stop attacks and data exposures for an organisation’s unique API business logic.
As attack surfaces expand, enterprises can’t be complacent
As attack surfaces expand, enterprises can’t be complacent. They must accurately assess their API risk, make security a priority backed by budget, and bridge the gap between perception and reality. The coming year may be a watershed for API security as threats rise. Companies that align confidence with robust precautions will maintain their advantage. Those still underestimating risks may suffer the consequences.
In my experience, having a centralised API security team is crucial to connect visibility and insights across the organisation; API security is now a competitive advantage. Customers recognise and reward companies that invest in robust API protections. Enterprises absolutely cannot afford to underestimate API threats any longer – the time to shore up defences is now.