API security incidents are increasing with dormant/zombie APIs, authorization vulnerabilities, and web application firewalls the key issues.
API security issues have been experienced by 76 per cent of USA and UK organisations according to a new report, ‘The API Security Disconnect: API Security Trends in 2022’ commissioned by Noname Security.
The report reveals a rapidly growing number of API security incidents, concerning lack of API visibility, and a level of misplaced confidence in existing controls.
Over three quarters (76 per cent) of respondents have suffered an API security incident in the last 12 months, with these incidents primarily caused by Dormant/Zombie APIs, Authorization Vulnerabilities, and Web Application Firewalls.
Nearly three quarters (74 per cent) of cybersecurity professionals do not have a full API inventory or know which APIs return sensitive data. This implies that the majority of respondents will struggle to re-mediate against any API security threats and not know which to prioritise if they do not have real-time granular visibility into the APIs in their ecosystems.
Other key findings include: 71 per cent were confident and satisfied that they were receiving sufficient API protection; less than half (48 per cent of respondents have visibility into the security posture of Active APIs; only 11 per cent of respondents test APIs for signs of abuse in real-time; 39 per cent test less than once per day, and up to once per week and 67 per cent of respondents are confident that their DAST and SAST tools are capable of testing APIs.
“Our research has exposed a disconnect between the high level of incidents, low levels of visibility, effective monitoring and testing of the API security environment, and misplaced confidence that current tools are preventing attacks,” said Shay Levi, Noname Security cto. “This emphasizes the need for further education by Security, AppSec, and development teams around the realities of API security testing.”
Critical infrastructure sectors such as manufacturing and energy and utilities, which typically rely on legacy systems, ranked unfavourably when measured on a number of metrics. They ranked worst on the percentage of security incidents in the last 12 months, with 79 per cent of manufacturing and 78 per cent of energy and utilities respondents saying they had experienced incidents, of which they were aware.
Energy and utilities companies were also the least likely to have a full inventory of APIs and know which return sensitive data, with just 19 per cent confident about this issue. Manufacturing organizations found it most difficult to scale API security solutions, with just 30 per cent saying they found it easy. Furthermore, real-time testing was at its lowest in energy & utilities (7 per cent), whilst manufacturing, and energy and utilities were most likely to conduct security testing less frequently than once per month, with 20 per cent and 21 per cent doing this, respectively.
The relative lack of testing in these critical infrastructure sectors correlates with the number of security incidents they have suffered in the last 12 months. This emphasizes the need for standards to be raised in sectors where personal identifiable information, and intellectual property can potentially be seized by bad actors, let alone where physical infrastructure and vital services are at risk.
