Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
However, the survey, which was conducted in collaboration with Enterprise Management Associates, found that many organisations have been lulled into a false sense of security when it comes to protecting APIs.
Although 92% of respondents believe their organisation has adequate protection for its APIs and 70% believe they have visibility into applications that are processing sensitive data, 62% say that at least one third of their APIs are undocumented.
Radware notes this is an issue as undocumented APIs leave companies vulnerable to cyber threats, including exposures, data breaches and scraping attacks.
“For many companies, there is unequivocally a false sense of security that they are adequately protected from cyber attacks.
In reality, they have significant gaps in the protection around unknown and undocumented APIs,” Radware chief operations officer and research and development head Gabi Malka says.
“API security is not a ‘trend’ that is going away. APIs are a fundamental component to most of the current technologies and securing them must be a priority for every organisation.”
The report includes responses from chief information officers, chief technology officers, vice presidents of IT, and IT directors from global organisations across North America, EMEA, and APAC.
It also found that 59% of respondents already run most cloud applications.
In addition, 97% of the businesses surveyed use APIs to communicate between workloads and systems.
The report also found that bot attacks and a lack of understanding about API protection continue to threaten companies, with 32% of respondents saying automated bot attacks are one of the most common threats to APIs.
Regarding detecting API attacks, 29% say they rely on alerts from an API gateway, and 21% depend on web application firewalls (WAFs).
“The survey data indicates that API protection is not keeping up with API usage,” Malka notes.
“Many organisations are basing their API security strategies on false assumptions; for example, that API gateways and traditional WAFs offer sufficient protection.
“This leaves APIs vulnerable and exposed to common threats, like bot attacks.
“A comprehensive API protection solution that includes bot protection will address these threats.
“But very few respondents indicated that they had solutions that actually did or even had the capability to provide effective security.
“Enterprise protection is only as strong as its weakest link.”
Additionally, half of the respondents view their existing tools as only somewhat or minimally effective against threats to their APIs, with 7% reporting that the security protection they have in place fails to recognise any attacks.
Further, the report found that 65% of respondents believe open source code offers greater security than proprietary code, and almost 74% assume that container-based deployments and microservice architectures are more secure than monolithic architectures and deployments.
Radware says the inability of the existing tools to adequately protect APIs from common threats combined with these perceptions about open source and container-based deployments further adds to the false security narrative.
“The belief that open source is more secure by design could explain why some organisations are lax when it comes to patch management,” Malka adds.
“Yet, as we have seen with Log4j and Heartbleed, open source can have the same security flaws as proprietary code.
“Believing that open source is inherently more secure by default only further contributes to the false narrative that leaves organisations vulnerable to cyber-attacks.”