The spread of application-driven businesses has elevated application programming interface (API) security issues to a pressing concern, with the number of incidents arising from vulnerable APIs through the roof and a majority of organisations planning more investment to keep up – however, at the same time, there exists a puzzling gap between how confident security leaders are in their API security tools and how often their APIs are being attacked.
This is according to a study of over 600 leaders across the UK and US, conducted for Israel-based API security specialist Noname Security.
This is the second year running that Noname has produced the report, titled The API security disconnect, and as the title suggests, 12 months on from the original study, its researchers found evidence of this strange and apparently growing disconnect among respondents.
Last year, 61% expressed confidence in their dynamic and static application security testing (DAST and SAST) tools, and this year, Noname found this had risen to 94%. However, 78% said they had experienced an API security incident in that time, up from 76% last year and rising to 85% among UK respondents.
Noname chief technology officer Shay Levi suggested this lack of correlation suggested something, somewhere, is not quite clicking if so many organisations can be happy with their tools while experiencing elevated levels of cyber attacks incorporating some form of API exploitation.
Levi suggested there was an urgent need for this disconnected to be addressed. “The continuing increase in reported API security incidents over the past two years demonstrates that this is not a fleeting trend, but a pressing reality that organisations must deal with and prioritise,” he said.
“APIs are indispensable in today’s modern environment, but everyone is worried about ransomware, phishing attacks and data breaches. This research validates why security leaders must continue to prioritise API security.”
Why is API security important?
API security is moving up the agenda because of the sheer ubiquity of APIs around the world – their usage is currently growing at about 200% per annum. “We say there is no piece of code written in the past seven years that doesn’t expose or consume an API,” said Levi.
However, he continued, APIs are also a clear source of risk for several reasons – they are mission-critical to most large organisations; exist in a scattered environment across multiple public clouds, gateways and regions; and crucially, their use puts security teams and developers in conflict.
Cyber criminals being wise to such matters, APIs have therefore become a major attack vector, with many high-profile security incidents and cyber attacks involving their use – perhaps the most significant of recent times being the 2022 attack on Australia’s Optus, which exposed the data of millions of the telco’s customers.
Noname’s approach to API security – which it describes as “complete and proactive” – is predicated on three pillars:
- Posture Management – uncovering vulnerabilities and misconfigurations to speed remediation and ease compliance;
- Runtime Security – detecting and blocking API attacks with real-time traffic analysis powered by machine learning;
- API Testing – finding and remediating API vulnerabilities during the development cycle.
Levi, an Israeli cyber intelligence vet and former Meta software engineer who co-founded Noname in 2020 – the name or lack of came about because he and his co-founder couldn’t think of anything to put on the legal documents incorporating the company – claims that most other API security specialists are still focused too heavily on the middle, Runtime pillar.
“For enterprises, it has become more important to be proactive, which means analysing what is already out there and finding a gap to close it before it becomes a vector for a cyber attack,” he said.
The model also neatly addresses OWASP’s top 10 risks to API security. Noname said traditional API security tools, mostly web application firewalls (WAFs) and API gateways, are not really relevant in addressing these issues, as chief marketing officer Mike O’Malley explained.
“Prior to Noname, when you would talk to a CISO [chief information security officer] and ask if they had API security, they would say they had a gateway or a WAF,” he said. “The reason Noname exists is because those products weren’t designed for modern API threats.
“Because modern API threats are so rooted in the business logic approach, WAFs and gateways, while they served a purpose, just weren’t built for these challenges.
“The root of the disconnect is that they [buyers] think the vendor can address the OWASP top 10 with a WAF, which is less and less the case,” said O’Malley.
Happily, the report also found clear evidence that security leaders are making API security more of a priority than they did 12 months ago – 81% said this was the case (84% in the UK and 78% in the US) – and the data also clearly suggested the impact of the increased volume of API-linked incidents, such as loss of reputation and employee or customer churn, was hitting home.
Brits behind in some areas
Some of the report’s other findings included the insight that UK teams tend to have less visibility of the APIs in their inventory than American ones (70% to 74%), but that Brits tended to do better at knowing exactly which of these APIs returned sensitive data (28% to 19%).
US organisations also seemed to do better when it came to API testing, with 19% undertaking API security testing in real-time compared with 17% in the UK, a reversal on the 2022 report, when the figures were 14% for the UK and 8% for the US.