Application security, Cloud Security

API security grows more critical, even as organizations lack means to address the risk

IT and security leaders say API security has become more important as enterprises migrate to the cloud. Pictured: A special missions flight director interacts with a mounted tablet at Altus Air Force Base, Okla., Sept. 30, 2021. (Air Force)

When enterprises migrate to the cloud, they become more dependent on application programming interfaces (APIs) for their core business operations — and most organi­zations have experienced at least one API-related attack in the past year, according to results of a recent survey of 250 IT and cybersecurity decision-makers by CyberRisk Alliance Business Intelligence.

IT and security leaders have taken note of this trend: Some 94% of organizations with APIs reported that API security has become more important in the past two years. As with any cybersecurity concern, the stakes are immeasur­ably high, from the financial costs of a data breach to meeting the grow­ing demand for robust security from clients and business partners.

“A single moment of negligence could lead to a breach of the company’s API and cause damage to the company,” said one respondent, the IT director of a high-tech organization.

Click here to download the full report.

That said, many organizations lack the ingredients to mount an appropriate defense. These include a strong API security strategy, a comprehensive security solution, and adequate security resources. Such weaknesses tend to exacerbate one another — for example, an API security tool that yields too many false positives will overburden already stretched IT staff too thin.

CRA’s research into API security suggests that many businesses strug­gle to achieve the visibility and maturity they need to minimize risks and protect against sophisticated attacks, such as bots and distributed-denial-of-service (DDoS). Although many organizations have various API standalone protection tools in place, respondents often regard these solutions as ineffective and incomplete, particularly when tracking undoc­umented (rogue or shadow) APIs and expired (zombie) APIs.

Among the survey’s findings:

  • Lack of an API strategy. Organizations lack an overall strategy to guide API efforts and, perhaps to support advocacy for additional resources: only 56% of respondents believe their organizations have an effective API protection strategy.
  • Little input from the security team. In 59% of organizations, responsibility for API protection rests with developers and/or DevOps teams. While there are often functional bene­fits to such arrangements, these teams may lack the security expertise, skills, or time to enforce security adequately — where fully managed API attack protection platforms can fill this gap.
  • Insufficient resources. Resources for API security are deemed insufficient at many organi­zations, although that may be starting to shift: Most respondents are optimistic their organizations will increase API security budgets in 2022.

Organizations find it difficult to respond

Although the CRA study found that API security has become more critical for virtually all organizations with APIs in the past two years, that priority shift hasn’t made it easy to address these concerns. As with other aspects of cybersecu­rity, many organizations struggle to achieve the visibility, control, and resources required for optimal API protection.

Just over half (58%) indicate they are confident their organization’s API security solution delivers adequate protection against sophisticated bot or DDoS attacks. And, nearly 8 in 10 (79%) report their organization has deployed an API security protection platform. While a host of API security tools offer various piecemeal solutions, CRA said the market for comprehensive, inte­grated API security platforms is still nascent in 2022. This may suggest market confusion about the distinction between a fully integrated, multi-func­tional “API protection platform” vs. standalone tools that are much more limited in scope.

The largest share of respondents consider real-time attack monitoring and blocking (73%), advanced risk analysis, forensics, or API attack details (73%) and API attacker behavioral analytics (72%) as "highly important" API product capabilities. Most respondents (70%) also said 24/7 support and a fully managed API protection platform (69%) are “very important” in providing an effective API security solution. Good price/value are also considered “highly important” by a considerably smaller share of respondents.

Overall, a large majority (83%) are optimistic that their API security bud­gets will increase in 2022. The largest share of respondents (41%) say their organizations will increase this spending by 4% to 5%, and another 21% expect a 6% to 10% budget increase. For most respondents, the primary drivers for API protection tool purchases or upgrades are the increased importance of API protection (56%), an increase in APIs and API develop­ment (54%), an increase in sophisticated API attacks or threats (51%), and a need to support their organization’s API protection strategy (51%).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.