Akamai’s latest study finds organizations are not prepared for API-based attacks as most report scant controls. Credit: Photon photo Fewer than a third of companies use API-specific controls as part of their cloud application security regime, according to a study by cloud security service provider Akamai. For the study, Akamai partnered with SANS Institute to survey 231 respondents actively involved in the application security domain in global organizations,. Survey participants mostly noted phishing and missing patches as the top API security concerns. Significant lag in API security controls Just under half (49.7%) of the respondents said that their organization has been using API security testing, with only 5.6% using it for more than 10 years. Even fewer (29%) of them use API discovery, with 3.9% using it for above 10 years. "These findings indicate the necessity of defense in depth when it comes to API Security, which can be achieved by layering protections across the API estate," said Rupesh Chokshi, general manager of application security at Akamai. While API security testing allows for the secure development of APIs, discovery tools help organizations keep running knowledge of the location of their APIs. The study also revealed that only 29% of the organizations use API security controls that are included in DDoS and load balancing services. Phishing and missing patches identified as greatest risks Survey respondents ranked phishing and missing patches as the top two API security risks. While 38% saw phishing to obtain reusable credentials as their top API security risk, exploitation of missing patches was considered a prime threat by 24%. "API infrastructure concerns, like missing patches, become API security concerns because the API is left more vulnerable. Phishing is a broader security concern that can also occur in the realm of APIs," Chokshi said. Other respondents feared different threats, including exploitation of vulnerable APIs (12%), misconfiguration of servers (12%), and accidental disclosure of sensitive data by users (9%). Risk mitigation Sixty-two percent of respondents are using web application firewalls as part of API risk mitigation. Amongst these firewalls, the leading products used are Acunetix, Akamai, AWS Shield, Azure WAF, Checkpoint, Cisco, Cloudflare, and ModSecurity. More than three quarters (76%) of the organizations train development staff on application security, with most citing Open Web Application Security Project (OWASP) Application Security and API Top Ten lists, and the MITRE ATT&CK Framework as the basis for defining application and API risk. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe