There are major gaps in API security based on insights from over 100 senior security leaders at large enterprises in the United States and Europe, an Imvision report reveals.
With 9 out of 10 security leaders naming API security as a priority, survey results indicate a consensus among professionals that the shift to the cloud and expansive adoption of APIs have created a new layer of technology that requires dedicated attention. At the same time, it also reveals several considerable gaps that need to be closed to secure APIs.
“Securing APIs is a daunting responsibility. APIs are becoming more prevalent across organizations. They run on multiple clouds, are developed by different teams, and serve an increasing number of consumers. While APIs offer countless benefits, at the same time, many companies are struggling to develop them securely,” said Sharon Mantin, CEO of Imvision.
“We are excited to release this survey. It shows that enterprises increasingly understand not only the challenges but also the way forward. The survey offers important insights that can help security leaders make smarter decisions as they support the organization in securing these strategic assets.”
Top priority for today’s security leaders
API security is a top priority for today’s security leaders. 73% of enterprises use 50 or more APIs, while 79% develop and publish APIs externally. 80% of security leaders would like to gain more control over their API security, and 91% of security leaders intend to make API security a priority over the next two years.
There is a clear drive for an API Security Backbone, with the top priorities being access control (63%), security testing (53%), and anomaly detection and prevention (43%). The top enablers of this backbone are integrations with existing systems (52%) and API visibility (50%).
However, current technologies do not holistically address all elements of the ideal backbone. 82% of enterprises either use or plan to use an API management platform to strengthen access control and provide runtime protection via the API Gateway.
Yet, only 1 in 3 respondents believe that their APIs are adequately protected.
Major API security gaps
The survey pointed to three major gaps in API security: responsibility , vulnerability, and technology.
There is a major gap between who security professionals believe should be responsible and the de facto responsible party. 42% of security professionals believe the security teams should be responsible for API security, while in reality, this is only true in 28% of enterprises.
The growing reliance on APIs for various use cases increases the range of potential vulnerabilities: security leaders see their most vulnerable APIs as those that are not protected using an API gateway (40%) and those they consume from 3rd parties (26%).
Security leaders overwhelmingly commented that general-purpose application security tools, such as Web Application Firewall (WAF) and Application Security Testing (xAST), are not on their roadmap for the purpose of API Security; in fact, for 50% or more of security leaders, these systems are not even an option.