71% of respondents report confidence in their API protection while a similar number of respondents (76%) experienced an API security incident in the last 12 months.
SAN JOSE, Calif. – September 15, 2022: Noname Security, the most complete, proactive approach to API security, today announced the findings from its API security report, “The API Security Disconnect – API Security Trends in 2022.” The report reveals a rapidly growing number of API security incidents concerning lack of API visibility, and a level of misplaced confidence in existing controls.
Over three-quarters (76%) of respondents have suffered an API security incident in the last 12 months, primarily caused by Dormant/Zombie APIs, Authorization Vulnerabilities, and Web Application Firewalls.
Furthermore, nearly three-quarters (74%) of cybersecurity professionals do not have a complete API inventory or know which APIs return sensitive data.
This implies that the majority of respondents will struggle to fix API security threats – and not know which to prioritize – if they do not have real-time granular visibility into the APIs in their ecosystems.
Other key findings include:
- 71% were confident and satisfied that they were receiving sufficient API protection.
- Less than half (48%) of respondents have visibility into the security posture of Active APIs.
- Only 11% of respondents test APIs for signs of abuse in real-time.
- 39% test less than once per day and up to once per week
- 67% of respondents are confident that their DAST and SAST tools are capable of testing APIs.
Shay Levi, Noname Security CTO and co-founder, comments on the findings: “Our research has exposed a disconnect between the high level of incidents, low levels of visibility, effective monitoring and testing of the API environment, and misplaced confidence that current tools are preventing attacks. This emphasizes the need for further education by Security, AppSec, and development teams around the realities of API security testing.”
Legacy-based sectors struggle to keep pace with API security testing
Critical infrastructure sectors such as manufacturing and energy & utilities, which typically rely on legacy systems, ranked unfavorably when measured on a number of metrics. They ranked worst on the percentage of API security incidents in the last 12 months, with 79% of manufacturing and 78% of energy & utilities respondents saying they had experienced incidents, of which they were aware.
Energy & utilities companies were also the least likely to have a complete inventory of APIs and know which return sensitive data, with just 19% confident about this issue. Manufacturing organizations found it most difficult to scale API security solutions, with just 30% saying they found it easy. Furthermore, real-time testing was at its lowest in energy & utilities (7%), while manufacturing and energy & utilities were most likely to conduct API security testing less frequently than once per month, with 20% and 21% doing this, respectively.
The relative lack of testing in these critical infrastructure sectors correlates with the number of API security incidents they have suffered in the last 12 months. This emphasizes the need for standards to be raised in sectors where personal identifiable information and intellectual property can potentially be seized by bad actors, let alone where physical infrastructure and vital services are at risk.
US and UK differ over API visibility and reporting
There were a number of differences in monitoring and visibility of APIs between the two countries surveyed, especially when it comes to reporting in real-time. More UK respondents (28%) have full API inventories and know which return sensitive data, compared to the US (24%).
Furthermore, an increased number of respondents in the US (44%) had visibility into their complete inventory of APIs, but were not aware of those returning sensitive data, compared to 38% in the UK. This could suggest that US organizations are more concerned with API-driven growth than securing existing APIs.
Disparity in API security approach across job roles
Responses from Application Security (AppSec) teams appear to differ considerably from other job functions surveyed. Compared to 81% of CISOs saying that they have experienced an API security incident, only 53% of AppSec professionals said they had. Additionally, 58% of CIOs said it was easy to scale API security solutions, while nearly a third (29%) of AppSec respondents admitted this was difficult.
In terms of testing, only 7% of AppSec professionals tested in real-time for signs of abuse, while 25% stated that they test for API security vulnerabilities less than once a week and up to once per month.
“The ongoing prioritization of digital transformation initiatives is introducing an increased number of applications – and therefore APIs – into organizations’ ecosystems,” added Levi. “The perceived gaps around API security testing between different job functions begs the question as to whether there is a lack of consistency across organizations of what is happening on the frontline. This needs to be addressed urgently; application development needs to adopt a ‘shift left’ approach to security testing, so that testing is undertaken pre-production and teams need to be educated about the benefits of doing this.
“We’ve seen from the likes of Gartner that APIs are quickly becoming the most popular attack vector. Our research demonstrates that if businesses don’t address the security vulnerabilities and widening attack surface presented by an increasing number of APIs, their ability to innovate and offer end-user-friendly solutions will be stifled by potentially debilitating cyber-attacks,” concluded Levi.
Noname Security commissioned independent research organization, Opinion Matters, to undertake the survey in July 2022. 600 senior cybersecurity professionals in the US and UK were surveyed from across a variety of enterprise organizations in six key vertical market sectors: financial services, retail & eCommerce, healthcare, government & public sector, manufacturing, and energy & utilities.
If you are interested in reading the full results from Noname Security’s “The API Security Disconnect – API Security Trends in 2022” report, please click here.
About Noname Security
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in Tel Aviv and Amsterdam.
Offleash PR for Noname Security