Survey Finds API Security Incidents on the Rise
A Salt Security survey of more than 200 security, application and DevOps professionals finds 94% of respondents have experienced an API security incident in the past 12 months, with nearly two-thirds (64%) having delayed application rollouts as a result of API security concerns.
More than half of respondents (55%) also discovered a vulnerability in an API in the past 12 months. More troubling still, 85% of respondents said they are not confident they know which APIs expose sensitive data. An equal percentage also said they have some doubt about the completeness of their API inventory. APIs are updated weekly or monthly by an equal percentage of respondents (28%), with only 6% updating them daily. Postman (40%) followed by an API management platform (34%) and Swagger (28%) are the tools respondents employed most to document and inventory APIs.
Nevertheless, 40% of respondents cited the risk of “zombie APIs” that the organization has forgotten about as their top concern. Lack of pre-production security is the leading concern (26%) respondents had about their overall API management program endeavors, followed closely by inadequate runtime security (20%).
On the plus side, the survey finds well over one-third of respondents (36%) have more than a basic API security strategy in place. Another 27% said they have an intermediate-level strategy while 11% described their strategy as being advanced. However, just over a quarter (26%) admit they have no API security strategy at all.
Nearly three-quarters (71%) believe that, despite these issues, the API security tools they have in place are either very effective (16%) or somewhat effective (55%). The ability to stop an API attack was rated as the most important attribute of an API security platform (55%) followed by the ability to identify which APIs expose personally identifiable information (PII) or other sensitive data (52%).
The top means for detecting API attacks are analyzing log files (55%), alerts from an API gateway (49%), alerts from a web application firewall or other security tool (49%) and authentication errors (47%).
When it comes to implementing API security, a lack of resources/people (30%) and budget constraints (24%) are cited as the top limiting factors. The survey finds responsibility for API security is all over the proverbial map with developers (21%), API teams (20%), application security (16%) and DevSecOps teams (16%) being cited most often as the team in charge of API security.
One-third of respondents cited security as a primary reason for partnering with their developer or security peers. Only 9% saw no change in how security teams are conducting their work around API security. More than a third (34%) recognize security professionals need to collaborate more with DevOps teams, with an equal percentage of respondents noting security engineers are getting embedded within DevOps teams. However, only half of respondents (50%) said the list of top API security issues identified by the OWASP Foundation has been made part of a security program within their organization and only 16% report that DevOps teams are asking for input from cybersecurity teams.
Michelle McLean, vice president of marketing for Salt Security, said the survey results make it clear API security is not getting the level of attention it deserves as the number of APIs being deployed continues to rapidly increase. Salt Labs reports there has been a 141% increase in API traffic among customers of Salt Security in the last six months. Attacks against those APIs increased 348% in the same period. Some customers (11%) have seen their APIs attacked more than 500 times per month during that same period. On average, each of those customers now has 89 APIs deployed in a production environment.
In general, McLean said most organizations are depending far too much on developers to secure APIs as part of a larger effort to shift more responsibility for application management further left towards developers. At a time when most modern applications are made up of large numbers of APIs to connect multiple microservices, there isn’t enough time to wait for developers to become security experts. Cybersecurity teams will need to work more closely with DevOps teams to achieve that goal, she added.
The challenge, of course, will be finding a way to secure those APIs without unduly slowing down the rate at which applications are being deployed and updated.
