Elevating API security to reinforce cyber defense

While APIs are essential to many operations and used extensively, a lack of prioritization and understanding is leading us towards a growing API security crisis, according to a report by Traceable AI and Ponemon Institute.

The urgency for API security

Within the last two years, 60% of organizations faced at least one API-related breach. 74% of these endured three or more incidents, revealing a relentless threat landscape, with 23% undergoing six or more breaches.

Alongside fraud and known attacks, DDoS (38%) stands out as the primary API breach method. Compounding this, 58% agree that APIs substantially expand organisations’ attack surface.

38% can discern intricate context between API activity, user behaviors, and data flow. Plus, 57% of respondents feel traditional security solutions, including web application firewalls, can’t effectively distinguish genuine from fraudulent API activity.

API-related risks

With 61% anticipating rising API-related risks in the next two years, organisations are also wrestling with challenges like API sprawl (48%) and keeping an accurate inventory (39%).

While dealing with an average of 127 third-party API connections, 33% express confidence in managing these external threats. This is exacerbated by uncertainties regarding the volume of data their APIs transmit, emphasising an urgent call for advanced breach detection solutions.

• 59% of respondents acknowledged that APIs are highly important to their organisation’s digital transformation. However, in spite of this, 43% of respondents admitted to not prioritizing API security.
• 60% of respondents say their organisations have had at least one data breach caused by API exploitation.
• Only 39% of APIs are continually tested for vulnerabilities.
• As a result, organisations are only confident in preventing an average of 26% of attacks and an average of only 20% of API attacks can be effectively detected and contained.

“In an era where digital ecosystems are intrinsically entwined with our operational fabric, this report brings to light the hidden iceberg beneath the API landscape. It’s alarming to see that the majority of businesses are navigating these treacherous waters with a significant blind spot, unprepared and underestimating the very real threats associated with APIs,” said Richard Bird, CSO of Traceable.

“As a security community, we must address this glaring disconnect, prioritizing API security as a cornerstone of our cyber defense strategy. It’s time that API security is elevated from the server room to the boardroom. Only by doing so can we hope to stay ahead of the evolving threat landscape,” Bird concluded.