• United States



Jon Gold
Senior writer

API security—and even visibility—isn’t getting handled by enterprises

Sep 16, 20222 mins

A new survey highlights the widespread nature of API security incidents and the lack of full inventories of potentially dangerous APIs.

abstract internet network cyber security concept picture id1072278762
Credit: iStock

A report released this week by OpinionMatters and commissioned by Noname Security found that more than three out of four senior cybersecurity professionals in the US and UK said that their organization had experienced at least one API-related security incident within the last 12 months.

A similar number, 74%, said that they had not completed a full inventory of all APIs in their systems, or have full knowledge of which ones could return sensitive data. The most common security gaps identified were dormant APIs—APIs that have been ostensibly replaced but remain in operation—authorization vulnerabilities, and web application firewalls.

With that said, a strong majority—71%—also said that they were confident in the API security provided by their communications service provider, indicating, according to Noname, that there’s a level of complacency at work around the topic.

“There is clearly a disconnect between what is happening in the real world, and organizational attitudes towards API security,” the report said. “The level of misplaced confidence around API security is disproportionately high in comparison to the number and severity of API-related breaches. This points to the need for further education by security, [application security], and development teams around the realities of API security.”

Digital transformation, the report added, will only make API security more important as time goes on. The authors cited a Gartner report that said that API-related breaches could become the most common type of security incident as of this year.

Utility, manufacturing sectors have biggest API security issues

The most vulnerable industries, according to the survey, were energy and utilities, as well as manufacturing—78% of respondents in the former industry reported some type of API breach in the previous year, as well as 79% in the latter. Only 19% of energy and utility company respondents reported having a full API inventory or full insight into which of their APIs were potential points of vulnerability.

UK respondents were slightly more likely to have real-time insight into their potential API vulnerabilities, as well as a better sense of overall API inventory—14% of UK respondents reported real-time testing, with just 8% of US users saying likewise, and 28% said they had fully inventoried their APIs and potentially sensitive data, compared to 24% for US respondents.

Related: 9 API security tools on the frontlines of cybersecurity