When a research report on API security claims that the responses they received “showed a remarkable disconnect between perception and the reality of the security that the respondents’ organizations use for the APIs”, you have to take a deeper dive.
Industry analyst EMA released the report after surveying 229 technology and business leaders in North America and the findings illustrate the misunderstanding of the problems of APIs and show an inflated opinion of the current state of API security capabilities in many organizations.
Some of the confusing highlight statistics:
- 53% believe their management understands the importance of API security
- 97% have a plan to protect APIs in use
- Only 46% believe that their APIs are already adequately protected
- Yet 75% believe that their organization already has a mature API security solution and strategy.
It’s a bizarre finding that three-quarters believe their API solution and strategy is mature when less than half believe that APIs are adequately protected. Maybe, the interpretation is that a project is already underway internally to protect their APIs, so the confidence lies in the knowledge that the problem is being addressed if not completed. Or they simply consider their organization to be more mature than others in their industry. Either way, this disconnect is clear throughout the report.
To echo the confusion over API security maturity, over half (53%) will initiate a project to execute the plan this year, meaning that today APIs continue to be unprotected.
API Usage is Growing
The report states that almost every organization (99% of respondents) exposes applications to the internet via APIs and 98% see an increase in API usage.
APIs are also acknowledged as security targets. APIs are full of sensitive data, with 81% of respondents saying this data was personally identifiable information. Because of this, it’s no surprise that data in APIs are increasingly targeted by bad actors and that scraping of APIs is now a form of data breach.
Visibility into APIs is Lacking
A third of respondents (32%) stated that API controls are first implemented in production. One quarter of all APIs are undiscovered or undocumented. Worryingly, every organization has documentation gaps, with 41% of respondents having less than half their known APIs documented.
Visibility into API traffic is clearly a blindspot. A quarter (25%) have no visibility into which applications are processing sensitive data, and 22% don’t know if their applications make sensitive data available to third parties.
The Importance of Threat Hunting and Investigation Tools
In an environment where being able to discover your APIs and document them is a challenge, it is gratifying to know that security professionals are seeking API detection and response capabilities like the ability to investigate and threat hunt within the API security data. In the chart below, 80% of respondents felt each capability was very important.
However, the minimum requirement for being able to investigate, and threat hunt is providing access to all API activity data which is difficult if you expect your API Gateway or Web application firewall to protect your APIs from abuse. If your security solution only holds the alerts and doesn’t store all the API data, both of these capabilities are impossible.
Read more about Neosec’s unique ability to investigate and perform threat hunting.
This report seems to show confusion but also demonstrates that APIs are becoming increasingly important and understanding is improving. The perspective from EMA on this data is key. Their conclusion is stated eloquently.
“Most research reports are straightforward to craft: the results speak for themselves, whether it is the latest security solution or the direction that a specific market segment is trending. Not so with this report. While hoping to gain insights into how organizations are securing the APIs in their environment (and we did get some of that), the tone of the report shifted because the data shouts that most organizations have a false sense of how their APIs are secured and the efficiency of the tools they deployed to secure them. In fact, it could be even more basic than that, since many organizations believe that they have the personnel—API experts—that they need to adequately protect their APIs regardless of the solutions they have deployed.”
Read the EMA report for yourself: API Security: Debunking the Myths
Learn more about how Neosec brings an innovative approach to discover, audit, and protect APIs from abuse. Why Neosec.
API Security: Debunking the Myths
Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.DOWNLOAD NOW