Securing APIs is a top priority, yet many don't have dedicated security solutions
The security of APIs remains a top cybersecurity concern this year, according to a new study, yet there is still a lack of dedicated API security for many companies.
Research from TraceableAI, carried out at this year's RSA conference, finds that though 69 percent of organizations claim to factor APIs into their cybersecurity strategy, 40 percent of companies do not have dedicated professionals or teams for API security.
Indeed 23 percent of respondents don't know if there is dedicated API security in their organization. While many organizations (61 percent) don't believe they have experienced an API attack in the last 12 months, an alarming 36 percent of respondents are unsure.
Of those that have adopted API security tools, 25 percent of professionals' solutions can't baseline API behavior and identify abnormal activity potentially indicative of an API attack. A worrying 50 percent of respondents are not sure if their API security solution has these capabilities.
"With APIs being a universal attack vector and the cause of some of the biggest data breaches in recent years, it’s very concerning to find out that 40 percent of organizations do not have a dedicated API security professional or team to tackle this problem, with 23 percent unsure if they had a team at all. Equally concerning is that 40 percent of organizations do not have an API security solution in place," says Richard Bird, chief security officer at Traceable. "In the past, hackers had to devise strategies for getting around existing defenses in order to locate data and interfere with systems. Now, they can simply exploit an API and obtain access to sensitive data without even exploiting the other solutions in the security stack. This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy."
- Enterprises have a worrying lack of visibility into APIs
- Growing digital ecosystems, increasing cybersecurity risk, fragmented regulations and economic challenges emphasizes need for holistic API security
- The challenge of securing APIs [Q&A]
Among other findings are that API security ownership remains fragmented between different teams, with 38 percent of respondents claiming the CISO owns it, while 25 percent claim development and/or DevOps takes ownership. 24 percent of respondents simply don't know who owns it.
The majority of respondents (66 percent) either struggle with API sprawl, or don't know if their company is managing API sprawl effectively.
You can get the full report from the Traceable site.