Report finds 94% of security professionals are confident in their current application testing tools yet, 78% have experienced an API security incident in 2023
SAN JOSE, Calif. – September 28, 2023 — Noname Security, provider of the most complete API security platform, today announced the findings from its annual API security report, “The API Security Disconnect 2023.” Twelve months on from the inaugural study, the report reveals that the number of API security incidents continues to increase, and as a result, API security is more of a priority now than it was 12 months ago.
Conversely, confidence in respondents’ ability to tackle such incidents has shot up from 67% who said they were confident in their DAST and SAST tools for API testing in 2022 to an overwhelming number of respondents (94%) saying they are confident that their current application testing tools are capable of testing APIs for vulnerabilities in 2023.
Over three-quarters (78%) of respondents have suffered an API security incident in the last 12 months, marking a slight increase from Noname Security’s inaugural 2022 report, where 76% of surveyed respondents experienced an API security incident. The primary causes or top attack vectors cited were Web Application Firewalls (26%), Network Firewalls (20%) and API Gateways (18%). This is a shift from last year, when Dormant or Zombie APIs topped the list (19%).
The report findings show visibility of API inventories has improved. Nearly three-quarters (72%) of cybersecurity professionals have full API inventories, but of those, only 40% have visibility into which return sensitive data. This represents a year-on-year increase (67%) of those that had a complete inventory in 2022.
With the prolific number of API security incidents, testing APIs is imperative. The number of respondents that test in real-time or undertake daily testing has increased from 39% in 2022 to 55% in 2023. However, there is still a disconnect between testing frequency and the number of attacks.
Other key findings include:
“The continuing increase in reported API security incidents over the last two years that we conducted this research demonstrates that this is not a fleeting trend but a pressing reality that organizations must deal with and prioritize,” said Shay Levi, CTO and co-founder of Noname Security. “APIs are indispensable in today’s modern environment, but everyone is worried about ransomware, phishing attacks and data breaches. This research validates why security leaders must prioritize API security.”
Of the six vertical sectors surveyed in this year’s report: financial services, retail and eCommerce, healthcare and government and public sector, those that have a lot of personal identifiable information (PII) data all saw an increase in API security attacks:
The cadence of testing APIs for vulnerabilities increased in every sector. The most pronounced change was in the financial services sector, with real-time testing jumping from 14% in 2022 to 23% in 2023, with 37% testing at least once a day. This shows that this sector is starting to really understand the criticality of API security testing, with 60% either testing in real-time or at least once a day, which is a marked improvement on last year.
Over two-thirds of USA respondents (69%) admitted they had experienced an API security incident in the last 12 months, down from 77% in 2022, whereas 85% of UK respondents said they suffered an incident in the last 12 months, a 10% year-on-year increase from the year prior.
There were several differences in attitude towards monitoring and visibility of APIs between the two countries surveyed, especially when it comes to reporting in real-time. In 2022, less than one in ten (8%) of USA respondents and 14% of UK respondents undertook API security testing in real-time. Fast forward to 2023 and nearly one fifth (19%) of USA respondents now test in real-time while the UK has slightly increased to 17%.
Responses from Application Security (AppSec) teams differ considerably from other job functions surveyed. Between 73% and 84% of C-suite and senior security professionals said they had experienced an incident in the last 12 months, yet only 48% of AppSec professionals said the same. This disparity extends to the top security attack vectors for APIs, with AppSec teams overwhelmingly citing web application firewalls (64%) as the top attack vector for APIs, with more of a spread across other job functions.
Additionally, AppSec professionals have the least amount of confidence in current application testing tools being capable of testing APIs for vulnerabilities, with just 84% saying this, compared to an average of 95% across other job functions.
“This research raises questions about how many API security incidents have been elevated into the consciousness of the C-suite or whether there is a disconnect and lack of communication between C-suite technology leaders and AppSec professionals in organizations. AppSecs are at the coalface dealing with these incidents daily and are at the very heart of application development lifecycles. Increased communication and collaboration needs to take place if organizations are to truly tackle the rising number of API security incidents,” concludes Shay Levi.
If you are interested in reading the full results from Noname Security’s “The API Security Disconnect – API Security Trends in 2023” report, please click here.
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in London.
Offleash for Noname
Noname Security commissioned independent research organization, Opinion Matters, to undertake the second API Disconnect Survey in June 2023. 631 senior cybersecurity professionals in the UK and USA were surveyed from across a variety of enterprise organizations in six key vertical market sectors: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities.