Noname Security has published its 2022 API Security Trends Report (registration required). The report, conducted by 451 Research, makes for sober reading. As the use of APIs has more than doubled, security concerns have also risen. The report concludes that a holistic approach to API security is a necessity.
Daniel Kennedy, Principal Research Analyst for Information Security for the Voice of the Enterprise (VotE) quantitative research product at 451 Research, said, “With API usage continuing to grow, this extreme level of use and dependency has enabled many vulnerabilities to rise to the surface, making securing these APIs across sectors more paramount than ever.
“This report should help enterprises of all sizes across various sectors make the informed decisions they need when developing their API security strategy.”
Some of the key findings from the report
There are several surprising findings in this report. Some of them could have done with a more qualitative approach to clarify the findings. For example:
“APIs are heavily leveraged, with an average of 15,564 APIs in use among survey respondent organizations, and a growth rate of 201% over the past 12 months. Large enterprises have as many as 25,592 APIs in place.”
That is a very high number of APIs for any organisation. What is not clear is how large those APIs are? Additionally, how many are modified from monolithic internal APIs? These are often known to have security vulnerabilities. Another question that could have been asked is what is the security process for verifying and maintaining these APIs?
Another finding that sets alarm bells ringing is:
“41% of the organizations represented by survey respondents had an API security incident in the last 12 months; 63% of those noted that the incident involved a data breach or data loss.”
Other questions around these statistics brought out some of the reasons why. For example, 39% had poor logging practices, and 37% had problems with API authentication. Additionally, 36% suffered from misconfiguration of APIs. Such problems suggest that security lessons are not being learned, and there is a lack of best practices.
How are organisations securing their APIs?
According to the report, the most common security method is a dedicated API security tool (75%). This is followed by web application firewalls (WAF) at 65% and then an API gateway.
Considering the breaches and issues above, there have to be questions about the tools and how they are used. Are the tools fit for purpose? Whose tools are being used? To put some of that into perspective, the report did ask about the effectiveness of the tools. Only 64% said that API gateways were very effective, and only 60% said the same for WAFs. It is far from a ringing endorsement for the tools.
The report states, “Various security products provide some level of response and remediation for the API security issues identified above. Many, however, were initially designed for use cases outside of API security, and thus while they can provide some level of enforcement of API protection, they are not purpose-built for the full universe of security issues affecting web APIs.”
It raises the question of why tools are still not where they need to be, given the significant increase in the use of APIs. Is it time for vendors to take a close look at their tools? Why is the industry not doing more to improve the state of its tools?
Of course, the answer could lie with a lack of training and misconfiguration. So, are organisations investing in training in how to use the tools? What did after-action reports show, and are lessons being learned?
It would have been good to get some balance from the report between tools and customer skills.
It’s not all bad news
There is some good news in this report. 51% say API security has significantly improved over the last 12 months. Just as interesting are the reasons for that. 78% have improved their standards around requirements for API security. Meanwhile, 61% have implemented an API security tool, and 42% have a more accurate inventory of APIs they use.
Again, there are more questions than answers here. How poor were the standards? Were there any standards? Why were people not using an API security tool?
However, the best news, and there is more to be done, is that organisations are inventorying their APIs. There is still a long way to go, and having an inventory also requires other processes. Those will allow organisations to track, manage and update their APIs.
Importantly, from a supply chain perspective, this is very good news. Organisations are increasingly using APIs to allow customers and suppliers to connect with them. Being able to track and notify everyone when there is a problem with an API is crucial. So is being able to remediate any APIs from third parties that an organisation uses.
Enterprise Times: What does this mean?
There is much more in this 17-page report than we have covered, and it needs a good read. The questions it doesn’t answer are a good starting point for conversations with vendors and security teams. There is also a need for organisations to look harder at how they deal with APIs, including training and inventories.
That the usage of APIs has exploded over the last year is no surprise. That security seems to be dragging so far behind is something that must be addressed.