A new survey reveals that chief information officers, chief technology officers, vice presidents of IT, and IT directors from global organizations across North America, EMEA and APAC may have a false sense of security regarding application programming interface (API) protection.
The Radware 2022 State of API Security report reveals that API usage is rising. Ninety-two percent (92%) of the organizations surveyed have significantly or somewhat increased their API usage, with 59% already running most of their applications in the cloud. Almost 97% of organizations use APIs for communications between workloads and systems, highlighting the growing reliance on APIs in day-to-day business operations.
The report reveals four main trends.
The real and underestimated threat of undocumented APIs
While 92% of those surveyed believe they have adequate protection for their APIs and 70% believe they have visibility into applications that are processing sensitive data, 62% admit a third or more of APIs are undocumented. Undocumented APIs leave organizations vulnerable to cyber threats, such as database exposures, data breaches, and scraping attacks.
Bot attacks remain a threat, along with misperceptions about API protection
Nearly one-third of companies (32%) surveyed stated that automated bot attacks are one of the most common threats to APIs. In terms of detecting an API attack, 29% say they rely on alerts from an API gateway and 21% rely on web application firewalls (WAF).
API attacks are flying under the radar
Half of the companies surveyed viewed their existing tools as only somewhat or minimally effective at protecting their APIs, with 7% reporting that the solutions they have in place did not identify any attacks. The inability of the existing tools to adequately protect APIs from common threats further adds to the false security narrative.
Open source contributes to the security myth
Sixty-five percent of respondents believe that open-source code is more secure than proprietary code, and nearly 74% believe that container-based deployments and microservice architectures are more secure than monolithic architectures and deployments by default.
According to Michelle McLean, Vice President at Salt Security, the findings reinforce that API security is vastly under prioritized, and the time is now to turn the dial and incorporate adequate solutions as old tools are not enough.
“Time and time again, we have seen companies roll out robust security tooling and sophisticated applications security teams, but this has still not stopped attackers from leveraging APIs to access sensitive data and services,” McLean says. “Organizations must shift their focus and consider actions they can take to mitigate these issues and close the security gap. Time and effort must be invested to understand the API attack landscape and the critical capabilities needed to protect vital assets. Architecture for any API solution put in place is key as it provides the ability to capture substantial context about API usage over time. Additionally, evaluating the API integrations between an organization’s systems and applications is crucial.”
If enterprises fail to take action, McLean says this lack of defense will continue to present significant business risk. “As a result will slow business innovation, compromise consumer confidence, and cause disruption to modernization efforts,” McLean notes. “Continued awareness and research around the problem are welcomed as greater understanding about the broader market is necessary.”
The full report can be found on Radware’s website.
