More API Inventory Auditing Necessary to Limit Incidents
The API industry is booming. Development of application programming interfaces has outpaced many areas of IT as APIs become the lifeblood of modern composable enterprises and digital transformation. Yet, as this surface area increases, so do potential threats — recent studies found that most companies experienced an API security incident in the past year.
Insecure APIs are becoming all-too-common and part of the reason is that teams simply don’t know they exist. Numerous endpoints have been developed over the years, increasing the number of zombie or dormant APIs that are left behind. Unknown vulnerabilities within these APIs could result in a data breach or data loss. Or, hackers might leverage these APIs as a doorway to control internal infrastructure.
The API Security Disconnect, a new report from Noname Security, identifies API security trends across the landscape and uncovers the rate of incidents, vulnerabilities, and testing habits associated with API security. Below, I’ll review the main takeaways from the study and consider how CISOs and security engineers should go about plugging the gaps around API security.
Lack of Visibility Exacerbates API Incidents
Most organizations face API security woes—76% said they had experienced an API security incident in the past 12 months. Yet, at the same time, 74% of respondents don’t have a full API inventory or know which return sensitive data. This disconnect could explain why we’ve witnessed exponential growth of API incidents throughout the industry in recent years.
Of those who work with an API security platform provider, (58.5%) said that their provider gave them visibility into dormant APIs and 47.5% said they had visibility into active APIs. Only a quarter (26%) have visibility into zombie APIs. Knowing your surface area is the first step in building a cybersecurity posture. But without a complete inventory of the total number of accessible APIs, organizations put themselves at greater risk. Interestingly, the U.S. has slightly poorer visibility into the API attack surface compared to the UK.
These unaccounted zombie APIs are making up a common attack vector, found the study. Dormant or zombie APIs ranked as the highest attack approach, at 19%. This was followed by authorization vulnerabilities (18%) and web application firewall (17%). Broken access control issues are routinely cited as a common hangup in hardening modern web applications.
API Testing Practices and Solutions
Shift left is a good practice to spot threats early on. However, runtime testing is also critical to spot new CVEs as they emerge. In terms of API testing, not many organizations are testing API security for signs of abuse in real-time. Only 11% said they were testing APIs in real-time and 28% reported testing at least once a day while 39% said they are testing between once a day and up to once per week.
In general, the study found a positive outlook on API security platforms and their role in testing their services. The study found high levels of confidence in traditional DAST and SAST tools (67%) for testing APIs. And respondents unanimously agreed that their API security platform provider was helping them to maintain regulatory compliance. A full 71% are also confident in the API security provided by their chosen cloud service provider.
Sector Comparisons
So, what sectors, if any, are particularly vulnerable to API threats? Well, the study found that the energy and utilities and manufacturing sectors were the most troublesome areas — manufacturing reported the highest percentage of API security incidents (79%), closely followed by energy & utilities (78%). Within the energy and utilities sector, the most common API security attack type was denial-of-service attacks.
If we turn to e-commerce, dormant or zombie APIs were the top API vulnerability for the retail and e-commerce sector. Surprisingly though, e-commerce scored the highest when it comes to having an inventory of what APIs return sensitive data, at 33%.
The Imperative to Meet Cloud Reliability Standards
It’s my conclusion from the survey that, to stem the rising tide of API incidents, organizations must first audit their holdings to expose forgotten or dormant services that might harbor vulnerabilities and broken access control issues.
Another takeaway is that CISOs and senior cybersecurity professionals must invest more heavily in maintaining performance standards to meet cloud SLAs. The report found that 28.5% said they were not confident they were meeting security SLAs. In this saturated digital landscape, reliability, performance and safety are increasingly important factors to retain a competitive advantage for APIs.
The API Security Disconnect, commissioned by Noname Security and conducted by Opinion Matters, involved a cohort of 600 senior security executives across the UK and U.S. For deeper insights into the report, you can pick up a copy here.
