Application protocol interfaces (APIs) are increasingly being targeted by cybercriminals, but businesses are aware of the problem.
According to data from the “The API Security Disconnect 2023,” a survey of over 600 U.S. and U.K. cybersecurity professionals from API security provider Noname Security, almost all (94%) respondents are confident that their current application testing tools are capable of testing APIs, which are software interfaces connecting two or more disparate solutions, for vulnerabilities in 2023.
However, close to eight in 10 (78%) respondents have suffered an API security incident in the last 12 months, marking a slight increase from Noname Security’s inaugural 2022 report, where 76% of surveyed respondents experienced an API security incident.
The primary causes or top attack vectors cited by respondents were web application firewalls (26%), network firewalls (20%), and API gateways (18%). This is a shift from 2022, when dormant or zombie APIs topped the list (19%) in 2023.
Survey findings also show visibility of API inventories has improved. More than seven in 10 (72%) respondents have full API inventories, although only 40% of those have visibility into which APIs return sensitive data. This represents a year-on-year increase of five percentage points from the 67% of respondents that had a complete inventory in 2022.
Disparities in U.S., U.K. findings
Seven in 10 (69%) U.S. respondents admitted they had experienced an API security incident in the last 12 months, down from 77% in 2022; whereas 85% of UK respondents said they suffered an incident in the last 12 months, a 10% year-on-year increase from the year prior.
Other key findings:
Eight in 10 (81%) respondents stated that API security is more of a priority now than it was 12 months ago.
The number of respondents that test APIs in real-time or undertake daily testing has increased close to 50%, to 55% in 2023 from 39% in 2022.
Fifty-three percent of respondents now view API security as a necessary requirement for their business, while 47% say it is a business enabler.
Fifty-three percent of respondents say their developers spend between 26% and 50% of their time on refactoring and remediation.
Slightly more than half (51%) of respondents cited loss of customer goodwill and churned accounts as the biggest impact of an API security incident.
Almost half (48%) of respondents cited fees incurred to help fix the issues, and similarly, 48% said loss of productivity was the biggest impact.
“The continuing increase in reported API security incidents over the last two years that we conducted this research demonstrates that this is not a fleeting trend but a pressing reality that organizations must deal with and prioritize,” said Shay Levi, CTO and co-founder of Noname Security. “APIs are indispensable in today’s modern environment, but everyone is worried about ransomware, phishing attacks, and data breaches. This research validates why security leaders must prioritize API security.”
Noname Security commissioned independent research organization Opinion Matters, to undertake the second API Disconnect Survey in June 2023. The report surveyed 631 senior cybersecurity professionals in the UK and USA were surveyed from across a variety of enterprise organizations, including retail and e-commerce.