Over three-quarters (76 percent) of respondents in a new survey have suffered an API security incident in the last 12 months, primarily caused by dormant/zombie APIs, authorization vulnerabilities, and web application firewalls.
The research from Noname Security also shows that 74 percent of cybersecurity professionals don’t have a complete API inventory or know which APIs return sensitive data.
Shay Levi, Noname Security’s CTO and co-founder, says, “Our research has exposed a disconnect between the high level of incidents, low levels of visibility, effective monitoring and testing of the API environment, and misplaced confidence that current tools are preventing attacks. This emphasizes the need for further education by security, AppSec, and development teams around the realities of API security testing.”
Among other findings 71 percent of respondents are confident and satisfied that they are receiving sufficient API protection. Less than half (48 percent) of respondents have visibility into the security posture of Active APIs.
Only 11 percent of respondents test APIs for signs of abuse in real-time, and 39 percent test less than once per day and up to once per week. 67 percent of respondents are confident that their DAST and SAST tools are capable of testing APIs.
There are some interesting geographical variations, more UK respondents (28 percent) have full API inventories and know which return sensitive data, compared to the US (24 percent). However, in the US 44 percent have visibility into their complete inventory of APIs, but are not aware of those returning sensitive data, compared to 38 percent in the UK. This tends to suggest that US organizations are more concerned with API-driven growth than securing existing APIs.
There are variations across teams too, 81 percent of CISOs say that they have experienced an API security incident, while only 53 percent of AppSec professionals said they had. Additionally, 58 percent of CIOs say it’s easy to scale API security solutions, while nearly a third (29 percent) of AppSec respondents say this is difficult.
The full report is available on the Noname site.
Photo Credit: Panchenko Vladimir/Shutterstock