IT Brief Asia logo
Technology news for Asia's largest enterprises
Story image

Security gaps in APIs plague organisations - study

By Catherine Knowles
Thu 4 Aug 2022

Nearly all (94%) of survey respondents of Salt Security’s latest report experienced security problems in production APIs in the past year, with 20% stating their organisations suffered a data breach as a result of security gaps in APIs.

The bi-annual report titled 'Salt Labs State of API Security Report, Q3 2022' found that API attack traffic has doubled in the past 12 months.

Together, the findings highlight that existing solutions and API security tactics focused on shift-left strategies are failing to adequately protect APIs.

The report pulls from a combination of survey responses and empirical data from the Salt Security Cloud Service. It finds that Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%, highlighting the continued explosion of enterprise API usage.

With malicious API traffic accounting for 2.1% of overall traffic, API attack attempts moved from an average of 12.22 million malicious calls per month a year ago to an average of 26.46 million calls this past June.

Among Salt customers, 44% are suffering an average of 11 to 100 attack attempts every month, and 34% are enduring more than 100 attempts each month, with 8% suffering more than 1000.

Roey Eliyahu, co-founder and CEO, Salt Security, says, "The backbone of our modern economy, digitalisation has made organisations increasingly reliant on APIs to deliver new services and better compete. This focus on digital innovation, however, has also put a target on these organisations, as this research makes clear.

"With API attacks accelerating year over year, it’s no wonder our survey shows security as the top concern about API strategies. The report findings also show the need for a more robust API security strategy - starting with development but especially focused on runtime - to better protect this expanding attack surface and companies’ most valuable assets.”

Developing a vigorous API security strategy is critical, as 61% of survey respondents now manage more than 100 APIs. With key enterprise initiatives so closely tied to API usage, companies have no tolerance for deployment delays or rollbacks. But more than half of survey respondents reported delaying new application rollouts because of API security concerns.

Enterprises look to stop API attacks

When asked which of six attributes of API security platforms are “highly important,” the ability to stop attacks took the top position, with 41% of respondents citing it.

The ability to identify which APIs expose PII or sensitive data took the second spot, with 40% of respondents indicating that feature as highly important. Meeting compliance or regulatory needs took the third spot, with 39% of respondents. Applying shift-left practices came in at the bottom of the list, with only 22% of respondents choosing it as highly important.

"Shift left" practices fail enterprises

Shift left strategies alone continue to leave organisations and their APIs exposed. While 53% of respondents focused on fixing gaps during development, and 59% looked for API issues in testing, a whopping 94% still suffered API security incidents, reflecting a need for increased runtime protection.

In this latest report, just 30% of respondents say they identify and remediate API security gaps in runtime. Yet to fully protect what’s already running within their environments, organisations require runtime protection capabilities.

Application action rollouts delayed

More than half of respondents (54%) indicated they've had to slow the rollout of new applications because of API security concerns.

Poor API design and security practices are often at the root of sensitive PII data leaks, and survey responses reinforce this challenge - nearly a third of respondents admit they've experienced sensitive data exposure or a privacy incident within their API production over the past year, a sharp increase compared to last year's 19%.

Within the Salt customer base, 91% of APIs have exposed some PII or sensitive data, making it imperative for organisations to know how and where data is transmitted so they can best protect those APIs with extra diligence.

Security concerns cause ongoing worry

Survey respondents reported that not investing enough in pre-production security (20%) and not adequately addressing runtime security (18%) were their top concerns about their API strategy.

When asked about the most concerning API security risks, 42% said outdated or "zombie" APIs. Zombie APIs have been the number one concern in the past four surveys from Salt, likely the result of increasingly fast-paced development as organisations seek to maximise the business value associated with APIs.

Account takeover and the accidental exposure of sensitive information were tied as second-highest concerns, at 15% each, followed by worries over “shadow” or unknown APIs, which rose from 5% to 11% in the past six months.

WAFs and API Gateways unsuccessful

As in previous surveys, respondents said they primarily rely on traditional tools to manage APIs and protect against application attacks. Most respondents rely on API gateways (54%) and WAFs (44%) to identify attacks.

The gaps of these traditional tools are made clear by the finding that 82% don't believe their existing tools are very effective at preventing API attacks and 94% endured an API security incident.

Solvable obstacles prevent API security

A significant majority of respondents (61%) admitted they lack any or have only a basic API security strategy in place, a concern given the high reliance on APIs for achieving critical business outcomes.

Despite all survey respondents having APIs running in production, a small percentage (9%) stated they have an advanced API strategy that includes dedicated API testing and protection. The top reasons for a lack of a robust API strategy included budget (24%), expertise (20%), resources (19%), and time (11%).

Additional findings from the State of API Security Report:

  • 91% of APIs running within the Salt customer base are exposing PII or sensitive data
  • API changes are on the rise - 11% of respondents update their APIs daily, 31% do so weekly, and 24% less often than every month
  • Just about half the respondents (55%) say their security team highlights the OWASP API Security Top 10 in their security program, down from 61% six months ago, an unfortunate finding given that 62% of attempted attacks within the Salt customer base leveraged at least one of the methods on that list
  • 86% of respondents lack confidence that their API inventory is complete, and 14% admit they are unaware of which APIs expose PII
  • 64% of respondents say that API security has helped security collaborate and even embed with DevOps teams

Implications for API security The State of API Security Report's Q3 2022 survey results are clear, Salt Security states. Respondents overwhelmingly stated that reliance on APIs is continuing to grow as APIs become ever more imperative to their organisations' success.

However, at the same time, current security tools and processes can't keep pace with new API protocols and attack trends. API traffic and usage trends within the Salt customer base confirm these observations.

The report concludes that organisations must move from traditional security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and provides a broad range of protections that foster collaboration across teams.

Related stories
Top stories
Story image
Tech job moves
Tech job moves - Cohesity, Equinix, IDC, Proofpoint & Xero
We round up all job appointments from July 29 - August 5, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Firewall
Fortinet unveils compact firewall for hyperscale data centres, 5G networks
"Fortinet’s dedication to pushing the boundaries of what is possible in security performance has yielded the most powerful compact firewall yet."
Story image
Enterprise
Fortinet reports second quarter 2022 financial results
“We delivered strong revenue and billings growth in the second quarter driven by an increase in the number of transactions larger than one million dollars."
Story image
Mergers and Acquisitions
Netskope acquires Infiot, delivers integrated SASE platform
Converged SASE platform provides AI-driven zero trust security and simplified, optimised connectivity to any network location or device, including IoT.
Story image
SaaS
Why is MACH architecture a new big thing in the tech world?
More and more global enterprises are considering replacing the monolithic tech stack with the best-of-breed composable stack that enables greater business agility.
Story image
Cloud
TBC Bank decreases time to market for new offerings by 40%
TBC Bank has reduced time to market for new and enhanced products and services by 40% since implementing Kong Enterprise, the cloud native API platform. 
Story image
Data
NOVATION releases cloud-based solution to maximise value of data
NOVATION has announced the release of DataVio, its cloud-based solution for helping businesses automate the processing and extraction of data.
Story image
SAP
OutSystems joins SAP PartnerEdge program, integrates solutions
OutSystems has become an official member of the SAP PartnerEdge program. This will make it easier for other businesses within the SAP ecosystem to discover and connect with OutSystems.
Story image
SaaS
Viavi updates Observer platform to simplify cloud monitoring
Version 18.8 simplifies cloud monitoring with data centre-like visibility, bringing two key capabilities to cloud-based applications and deployments.
Story image
Apps
Freshworks integrates with Google's Business Messages
"The integration with Freshworks makes it fast and easy for businesses to have conversations with their customers within the Google apps."
Story image
Radware
Good or bad - answer these questions to check application visibility
With the adoption of the hybrid cloud, applications now run in multiple private and public cloud environments managed by different teams and tools.
Story image
Hybrid Cloud
The essential guide to digital transformation by SolarWinds
Digital transformation is a buzzword thrown around all the time by companies, but what does it actually mean and why is it important? SolarWinds breaks it down.
Story image
Data Protection
CyberRes partners with Google Cloud in lead up to BigQuery release
CyberRes, a Micro Focus line of business, has announced a partnership with Google Cloud to support the upcoming release of BigQuery remote functions.
Story image
Ransomware
Ivanti and SentinelOne partner on patch management solution
Ivanti and SentinelOne will integrate their technologies Ivanti Neurons for Patch Management and SentinelOne's Singularity XDR platform.
Story image
Internet of Things
AI-Link chooses Keysight offering to validate 5G performance
AI-Link has chosen Keysight Technologies' 5G test tools for end-to-end performance validation of cloud-native 5G radio access network (RAN) equipment.
Story image
SaaS
OpenText launches new solutions on Salesforce AppExchange
Included in this latest launch is OpenText Core Content, a Content Services platform that customers can leverage to effectively manage their content.
Story image
CRM
Forrester names Pega a Leader in CRM Solutions 2022 report
Forrester Research has named Pega a Leader among 11 competitors in The Forrester Wave: Core CRM Solutions, Q3 2022 report.
Story image
Appointments
Tech job moves - Checkmarx, Kinly, Syniti, Trellix & WalkMe
We round up all job appointments from July 22-28, 2022, in one place to keep you updated with the latest from across the tech industries.
AWS Marketplace
Learn how security orchestration, automation, and response (SOAR) enhances your security strategy.
Link image
Story image
Healthcare
Why the Metaverse could be the key to enhancing the healthcare sector
The experts at Accenture understand that the programmable world is about building the next version of the physical world in healthcare, understanding complex layers in order to fully utilise technology to its maximum effect.
Story image
Infrastructure
New developments for cable set to connect South America to APAC and Oceania
Further proposals have been issued to begin construction of the almost 15,000 km subsea Humboldt Cable cable, which connects South America to APAC and Oceania.
Story image
SAP
Microsoft unveils two new security products to help reduce attack surfaces
The products are set to give companies deeper insights into threat actor activity and help them successfully navigate the changing threat landscape.
Story image
Cybersecurity
More than a fifth of cybersecurity teams ban the use of public WiFi
Verizon’s fifth annual Mobile Security Index report has revealed a continued rise in significant cyberattacks in the last year involving a mobile/IoT device.
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Incode Technologies
Jonathan Andresen joins us today to discuss the identification and authentication solutions offered by Incode.
Story image
Indusface
Why enhancing bot protection for web and API endpoints matters
The trouble with bots is that they aren’t all bad. Unfortunately, this can make it challenging to detect malicious bots that find their way into your system and threaten your business.
Story image
Digital Transformation
Government needs content services aligned for better customer experience
Organisations across all industries in the private sector have made significant progress in digital transformation. The public sector, however, has not always kept up with the pace.
Story image
Ransomware
Majority of execs in SEA anticipate ransomware attacks
Kaspersky's study uncovers that more than half believe a ransomware attack against their business is too small to worry about.
Story image
Healthcare
SOTI research explores professional's thoughts on digitisation in the healthcare sector
Interconnectivity, automation and data management were the three key trends highlighted in the report as integral parts of successful medical technology implementation.
Story image
API
Security gaps in APIs plague organisations - study
Together, the findings highlight that existing solutions and API security tactics focused on shift-left strategies are failing to adequately protect APIs.
Story image
Product Management
TeamViewer and Siemens to innovate product lifecycle space with AR
TeamViewer's new partnership with Siemens Digital Industries Software to bring the power of TeamViewer's AR platform, Frontline, to Siemen Teamcenter software.
Story image
Data Centre Maintenance / Management
Vertiv releases update to Smart InfraSight platform
Vertiv has unveiled an update to its Smart InfraSight data centre management platform, featuring improved intelligence and the ability to manage multiple IT devices.
Story image
Robotic Process Automation / RPA
Gartner anticipates RPA software revenue of US$2.9 billion
Gartner predicts global robotic process automation (RPA) software revenue to reach US$2.9 billion in 2022, an increase of 19.5% from 2021.
Story image
Cybersecurity
FirstWave responds to SMB demand for better cybersecurity
FirstWave developed the CyberCision Open Security Management Platform to respond to SMBs 'urgent' need for comprehensive cyber protection.
AWS Marketplace
Watch this webinar to gain building blocks for data mesh, and how AWS customers today are successfully enabling domain driven data.
Link image
Story image
Partnership
NCS, FPT Software launch Strategic Delivery Centre in Vietnam
The new partnership is designed to support increasing demand for high quality digital services across the region.
Story image
Compliance
Why security needs to shape your journey to the cloud
It's estimated that 80% of workloads could be in the cloud in the next few years. How can you make all that data secure?
Story image
SaaS
ManageEngine unveils SaaS availability of Analytics Plus
ManageEngine's Analytics Plus is now available as a software as a service (SaaS) offering, enabling users to set up a completely functional and integrated analytics platform anywhere in under a minute.
AWS Marketplace
See how managed security services (MSS) have evolved to Managed Detection and Response (MDR) and Extended Detection and Response (XDR). Learn how these new holistic solutions can simplify security management and improve your threat detection and response.
Link image
Story image
Remote Working
Four-day week: Perceptions across Asia Pacific and Japan
Workers across APJ want to be empowered to do their best work, wherever and whenever they want.
Story image
Cybersecurity
Qualys develops EASM capabilities for Cloud Platform
"Qualys unique approach to EASM is integrating the internal and external asset data from CyberSecurity Attack Management with its VMDR solution into a single view."
Story image
Data
Hazelcast launches beta release of new serverless offering
Hazelcast Viridian Serverless speeds up app development, simplifies provisioning, and enables integration of real-time data into applications.