Why Security Leaders and AppSec and Development Teams Need to Collaborate More to Ensure Robust API Security - Image by vishnu vijayan from Pixabay The growing threat landscape is posing questions for CISOs and other security professionals. How do they prepare their environment and secure the growing number of APIs?

APIs are at the heart of digital transformation initiatives. Organisations depend upon them to evolve their digital strategies, innovate, and grow. Effectively, APIs enable applications, containers, and microservices to exchange data and information quickly, so consumers experience more convenience on their digital devices and when using online services. However, they are also an increasingly common attack vector for cybercriminals. Why? Because they’re a pathway for hackers to access vast amounts of sensitive data.

According to IBM’s 2022 Cost of a Data Breach Report, the average costs increased to USD 4.35 million in 2022, climbing 12.7% from USD 3.86 million in the 2020 report. Additionally, a stunning 83% of organisations surveyed reported having suffered more than one data breach. This means there will be even more need for comprehensive threat intelligence, monitoring, and alert detection solutions in place, including more robust API security solutions.

In September 2022, we commissioned research to understand how CISOs and senior cybersecurity professionals are approaching the challenge of securing their APIs in this intense and complex threat environment. We surveyed 600 senior cybersecurity professionals in the UK and USA. Within this cohort, there was a mix of CISOs, CIOs, CTOs, senior security professionals and AppSec professionals. They came from various industry verticals, including Retail & eCommerce, Financial Services, Government & Public Sector, Manufacturing and Energy & Utilities.

A Disconnect Around What is Happening in the Real World

We found a clear disconnect between what is happening in the real world and organisational attitudes towards API security. There was a level of misplaced confidence around API security. One which was disproportionately high in comparison to the number and severity of API-related breaches. This points to the need for further education by Security, AppSec, and Development teams around the realities of API security.

Overall the report highlighted:

  • High level of incidents
  • Low levels of visibility into APIs
  • Ineffective monitoring of the API environment
  • Ineffective or low levels of testing of the API environment

Worse, there was a level of over-confidence that their tools and providers were preventing attacks.

The responses also highlighted notable variations in how different roles view their security operations and API security. Delving into the responses from the different job functions surveyed, we found that CISOs were most likely to say they have experienced an API incident (81%), and AppSecs were least likely, with 53%.

The above was reaffirmed by the Google Cloud 2022 API Security research report, which described there being “a gap between the existence of security incidents and confidence that the tools are doing the job”.

Disparities Across Different Job Functions

Again, there were also disparities across the different job functions and what respondents considered to be the top API attack approaches. There is an indication that attacks are coming from all sides with no one approach dominating. CIOs (19%) and Senior Security Professionals (21%) cited Network Firewalls, CISOs said Dormant/Zombie APIs (23%), CTOs felt that DDoS was the top attack type (21%), while AppSec teams said Authorisation Vulnerabilities (24%).

In terms of visibility into their API inventories, CIOs appeared to have the best visibility around which APIs returned sensitive data. Surprisingly, AppSec teams had the lowest insights, with 44% saying they only had a partial understanding of their inventory and of APIs which returned sensitive data. This could be attributed to education, with AppSecs more aware and likely to admit than other roles that there are gaps in API security.

AppSecs More Exposed to Daily Realities

Interestingly, 58% of CIOs said it was easy to scale solutions, while well over a quarter (29%) of AppSecs admitted this was difficult. Again, AppSecs are more exposed to the daily realities than senior personnel and are likely to be more aware of how challenging it is to scale solutions.

When we asked how their API security platform provider helped maintain regulatory compliance, CTOs rated their provider highest (96%). Likewise, a relatively high proportion (58%) said their provider helps them to achieve compliance with GDPR. Overall, AppSec teams reported the lowest levels of support in maintaining compliance out of all five roles, with 93%.

Surprisingly, CIOs were undertaking more testing in real-time (14%) compared to other roles, and AppSec teams were testing the least (7%). CISOs also scored highest in testing once per day (33%), while 45% of CTOs admitted to testing less frequently than once per day but up to once per week. As well as their lack of real-time testing, AppSec teams also scored highest in testing less than once a week and up to once a month, with a quarter stating this.

Finally, CISOs were most likely to say they had confidence in their SAST and DAST tools, with 70% replying in the affirmative, while AppSecs were least likely (62%). Senior Security Professionals were least confident in the API security provided by their partner, with 40% saying they were not confident. Likewise, they were most likely to lack confidence that their partners were meeting their SLAs (33%).

Collaboration Across Teams will be an Imperative

It was interesting to see how the various role types view API security. Clearly, there is a need for more communication between the different groups. In 2023, we will see API security become much more of a focus area for many of the big enterprise organisations.

This is a result of increasing sustainability goals with API reuse reducing infrastructure costs. It is also because the lack of control, security, and governance around APIs isn’t just exposing companies to serious risks. It also exposes firms to massive operational inefficiency caused by APIs being developed and deployed independently across multiple teams.

As security shifts left, developers become more responsible for ensuring the code they write is secure. This means there is also a need for more collaboration between security and DevOps teams.

As development and security teams embrace a more agile and collaborative way of working, they will seek out API security solutions and services that enable their businesses to grow and scale quickly. Additionally, ensuring operational efficiency will be paramount as budgets come under more scrutiny in 2023. This is where senior technology leaders, security and development teams need to ensure they are much more coordinated.

Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley and offices in Tel Aviv and Amsterdam.


Please enter your comment!
Please enter your name here