The State of API Security in 2023

Introduction

2023 marks a turning point as numerous business and security leaders are poised to grasp the full extent of their API security challenges. Over the last three years, organizations have favored flexibility and expansion at the expense of security while navigating highly challenging business conditions. They've amassed extensive data sets and implemented additional cloud services to digitize their business models, products, and services, with APIs emerging as the linchpin for the success of these endeavors.

In the development and deployment of applications, DevOps teams leverage internal APIs to establish connections between data sources and business processes and external APIs to interact with partners and customers. Consequently, there is a growing trend where APIs play a paramount role in transmitting sensitive data, including crucial business information and consumers' contact, financial, and health details.

In the swiftly evolving digital landscape of today, APIs have emerged as the critical element enabling the swift delivery of business functionality. These digital connectors form the foundation of a considerable portion of the enterprise innovation we witness, facilitating seamless customer experiences and integrated partner ecosystems. With the surge in API usage, the potential risks are growing at an exponential rate. Let's delve into concrete data to shed light on the current landscape of API security.

Assessing the surge API adoption

A detailed examination of Traceable's Global State of API Security exposes a fundamental reality: APIs play an indisputably crucial role in driving global digital transformation. According to the findings, a substantial 57% of organizations assess the importance of APIs at 7 or above on a 1-to-10 scale, and a cumulative 29% assign the highest levels of significance, rating them at 9 or 10. This signifies not just a passing trend but rather a foundational shift in the strategic approach to business technology.

A disconcerting alternative perspective comes to the forefront. Despite a substantial majority, precisely 88%, employing over 2,500 cloud applications and highlighting the expansive API network, only 59% assert their capability to identify all utilized APIs. These statistics underscore a notable disconnect when expecting the essential role that APIs fulfill. Envision creating a network of pipelines in a city, only to lose track of them. In the digital landscape, unnoticed and unprotected APIs serve as concealed avenues for cyberattacks.

API Security Breach Accelerates Regulatory Response

Gartner's forecast for 2025 predicts that the rapid expansion of enterprise APIs will surpass the capabilities of API management, with less than half of them expected to be effectively managed. Concurrently, incidents of API security breaches are on the rise, prompting increased scrutiny from regulators. Notably, an adversary exploited LinkedIn's official API to scrape data from 90 percent of its users, and a researcher utilized Venmo's public API to access information on millions of payments. 

The Log4Shell zero-day vulnerability, identified in December 2021, remains a target for exploitation. Several API security incidents have impacted prominent entities such as Coinbase, John Deere, Experian, Peloton, SolarWinds, and others. Although regulatory responses often trail the rapid advancement of technology, the expanding scope and heightened severity of security breaches are accelerating API security. 

The intricacies of ensuring API security

While acknowledging the significant role of APIs in our digital ecosystem, it's crucial to highlight that the complexities surrounding their security pose challenges for many organizations. A deeper exploration of the data provides a more insightful perspective on these subtleties and exposes prevalent gaps in the majority of security strategies.

Certainly, it's positive news that 51% of organizations are actively utilizing rapid scans to detect and remove vulnerable APIs from their production environments. This proactive stance demonstrates a recognition of imminent threats. Nevertheless, the true battleground extends beyond this, encompassing a vast and intricate landscape. The hurdles don't solely revolve around immediate threat detection but also involve the complex layers of interconnected activities, behaviors, and flows generated by APIs.

 Only 59% of organizations possess tools capable of identifying all APIs in operation. This implies that a significant portion of enterprise APIs operates under the radar, outside the purview of the API governance framework. An undiscovered API equates to an unmonitored one, presenting a potential entry point for cyber threats. The consequences are far-reaching, from unauthorized data access to operational disruptions. Any vulnerabilities, whether pre-existing or zero-day, remain susceptible to exploitation by attackers employing sophisticated methods to pinpoint these weaknesses in critical applications.

Leaders will perceive APIs as presenting both security and business risks

The imperative to safeguard business operations, customer interests, and data will serve as a primary motivator for organizations to adopt API security platforms. In the upcoming year, leaders will aim for a more comprehensive approach to address the challenges associated with API management. This is crucial because the absence of control, security, and governance in handling APIs amplifies risks and leads to operational inefficiencies.

DevOps teams are consistently engaged in creating and deploying APIs to establish connections between various applications and processes. This ongoing activity has led to the proliferation of what are known as "zombie APIs" — which have been abandoned but still persist in corporate systems without removal. The absence of synchronized and standardized processes further contributes to heightened redundancy across API groups. Consequently, organizations allocate excessive resources toward development processes and application maintenance, surpassing what is necessary. 

Context is the key factor for API security

Moreover, a comprehensive command of API security is derived from grasping the complex interconnections. Merely 38% of organizations possess tools that empower them to comprehend the relationships between API activities, user behaviors, data streams, and code execution. In the highly interconnected digital landscapes, having this understanding is imperative. An aberration in user behavior or an unusual data flow could serve as early warnings of a potential breach attempt or the exploitation of a vulnerability.

In addition, the ability to customize security responses in response to dynamic threat parameters is essential. While standard security protocols are effective against common threats, personalized defenses considering threat actors, compromised tokens, IP abuse velocity, geolocations, IP ASNs, and specific attack patterns can determine the outcome between successfully repelling a threat and experiencing a security breach. However, the majority of organizations currently lack this capability.

Finally, the necessity to observe and comprehend communication patterns between API endpoints and application services is consistently underestimated by companies. While an API may operate according to its intended functionality, irregular communication patterns or unexpected interactions with other services could signal potential vulnerabilities or misconfigurations.

While a significant number of companies have initiated fundamental measures for API security, breaches persist. Among recently breached organizations, 74% encountered at least three incidents related to APIs in the last two years. There is an evident requirement to delve deeper into the core elements that genuinely safeguard APIs.

Uncovering and assessing vulnerabilities in all APIs represent only the initial phase. The subsequent frontier in API security resides in comprehending the intricate network of interactions, behaviors, and potential threat vectors.

Organizations will adjust their data storage to minimize risks

One of the inherent dangers of API security risks is that organizations tend to accumulate and store excessive amounts of data. In the past, data storage was a costly endeavor, but with the significant reduction in costs over the last decade, organizations have amassed petabytes of unstructured data, a considerable portion of which remains unused. Like the challenges posed by APIs, organizations grapple with a shadow data issue marked by the proliferation of unknown and unmanaged data stores.

While fortifying API security, business, IT, and data teams must streamline their data repositories. Given the rapid pace of business transformation, much of the historical data has diminished in value. Organizations forecast operational performance within shorter time frames, typically days and weeks rather than years. Hence, it is more prudent to eliminate redundant data rather than storing it in an unregulated database, thereby mitigating the risk of potential exfiltration through an unsecured API.

Differentiate organizations in the marketplace

The business landscape of the future is intertwined, indicating that the potential growth of APIs is virtually boundless. Therefore, the pertinent question is not whether organizations will prioritize API security but rather when and how they will do so. According to Gartner's projection, by the year 2025, 60% of organizations will incorporate cybersecurity risk as a crucial factor when engaging in third-party transactions and business collaborations. Moreover, no organization desires to relinquish control over their business, customer data, or valuable intellectual property due to inadequate API security practices by partners – nor does any organization wish to become the target of a cybersecurity attack for the same reason.

Charting the Course for API Security in the Future

In the context of our digital future, organizations encounter a dual challenge concerning API security. Initially, they must understand the extent of their own digital ecosystem, grasp the role of each API, and recognize potential vulnerabilities. It is crucial to unveil and rectify silent threats, such as shadow APIs and zombie APIs, which may lurk in the background. Every concealed entry point has the potential to be exploited, emphasizing the importance of identification and mitigation.

Takeaway

In conclusion, the blog highlights the increasing importance of API security in the rapidly evolving digital landscape, primarily as organizations heavily rely on APIs to develop and deploy applications. It emphasizes APIs' major role in driving global digital transformation, enabling all-in-one customer experiences, and forming the foundation of enterprise innovation. The evolving landscape demands a vigilant and comprehensive approach to API security to safeguard against potential threats and breaches.