When enterprises migrate to the cloud, they become more dependent on application programming interfaces (APIs) for their core business operations — and most organizations have experienced at least one API-related attack in the past year, according to results of a recent survey of 250 IT and cybersecurity decision-makers by CyberRisk Alliance Business Intelligence.
IT and security leaders have taken note of this trend: Some 94% of organizations with APIs reported that API security has become more important in the past two years. As with any cybersecurity concern, the stakes are immeasurably high, from the financial costs of a data breach to meeting the growing demand for robust security from clients and business partners.
“A single moment of negligence could lead to a breach of the company’s API and cause damage to the company,” said one respondent, the IT director of a high-tech organization.
That said, many organizations lack the ingredients to mount an appropriate defense. These include a strong API security strategy, a comprehensive security solution, and adequate security resources. Such weaknesses tend to exacerbate one another — for example, an API security tool that yields too many false positives will overburden already stretched IT staff too thin.
CRA’s research into API security suggests that many businesses struggle to achieve the visibility and maturity they need to minimize risks and protect against sophisticated attacks, such as bots and distributed-denial-of-service (DDoS). Although many organizations have various API standalone protection tools in place, respondents often regard these solutions as ineffective and incomplete, particularly when tracking undocumented (rogue or shadow) APIs and expired (zombie) APIs.
Among the survey’s findings:
- Lack of an API strategy. Organizations lack an overall strategy to guide API efforts and, perhaps to support advocacy for additional resources: only 56% of respondents believe their organizations have an effective API protection strategy.
- Little input from the security team. In 59% of organizations, responsibility for API protection rests with developers and/or DevOps teams. While there are often functional benefits to such arrangements, these teams may lack the security expertise, skills, or time to enforce security adequately — where fully managed API attack protection platforms can fill this gap.
- Insufficient resources. Resources for API security are deemed insufficient at many organizations, although that may be starting to shift: Most respondents are optimistic their organizations will increase API security budgets in 2022.
Organizations find it difficult to respond
Although the CRA study found that API security has become more critical for virtually all organizations with APIs in the past two years, that priority shift hasn’t made it easy to address these concerns. As with other aspects of cybersecurity, many organizations struggle to achieve the visibility, control, and resources required for optimal API protection.
Just over half (58%) indicate they are confident their organization’s API security solution delivers adequate protection against sophisticated bot or DDoS attacks. And, nearly 8 in 10 (79%) report their organization has deployed an API security protection platform. While a host of API security tools offer various piecemeal solutions, CRA said the market for comprehensive, integrated API security platforms is still nascent in 2022. This may suggest market confusion about the distinction between a fully integrated, multi-functional “API protection platform” vs. standalone tools that are much more limited in scope.
The largest share of respondents consider real-time attack monitoring and blocking (73%), advanced risk analysis, forensics, or API attack details (73%) and API attacker behavioral analytics (72%) as "highly important" API product capabilities. Most respondents (70%) also said 24/7 support and a fully managed API protection platform (69%) are “very important” in providing an effective API security solution. Good price/value are also considered “highly important” by a considerably smaller share of respondents.
Overall, a large majority (83%) are optimistic that their API security budgets will increase in 2022. The largest share of respondents (41%) say their organizations will increase this spending by 4% to 5%, and another 21% expect a 6% to 10% budget increase. For most respondents, the primary drivers for API protection tool purchases or upgrades are the increased importance of API protection (56%), an increase in APIs and API development (54%), an increase in sophisticated API attacks or threats (51%), and a need to support their organization’s API protection strategy (51%).