Report: 76% of Organizations Had an API Security Incident Last Year

Highlights:

• APIs are the lifeblood of digital transformation and the core of company development and innovation plans.
• While 76% of respondents claimed they had had an API security problem, there was a high degree of trust in their existing solutions, with 67% expressing satisfaction with the protection and API security offered by CSPs or specialized security providers.

APIs are the lifeblood of digital transformation and form the core of company strategies for development and innovation. Nearly all enterprises utilize APIs to link services, move data, and manage critical systems. In fact, APIs increasingly drive mission-critical operations within enterprises.

The increased adoption of APIs has also dramatically increased organizations’ attack surfaces, raising the necessity for businesses to prioritize API security. However, as enterprises shift into a variety of cloud, hybrid, and on-premises digital environments, this complexity makes it challenging for security teams to identify and resolve issues swiftly.

In July this year, Noname Security commissioned a survey from an independent research firm, Opinion Matters, to investigate the condition of the API security environment and the difficulties faced by enterprises.

High-level findings

Noname’s research revealed a degree of complacency and possible denial regarding the dangers posed by APIs. While 76% of respondents claimed they had been through an API security incident, there was a high degree of trust in their existing solutions, with 67% expressing satisfaction with the protection offered and the API security provided by CSPs or specialized security providers. A majority, 71% of the respondents, indicated that they are confident and pleased with the API protection they receive.

There is a gap between real-world events and corporate attitudes toward API security. Compared to the frequency and severity of API-related breaches, the level of misguided faith in API security is disproportionately high. This indicates the need for further education by security, appsec, and development teams on the reality of API security.

Overall, the research revealed a discrepancy between the high level of events, low visibility levels, effective monitoring and testing of the API environment, and overconfidence that their tools and service providers were preventing assaults.

Methodology

Around 600 senior cybersecurity experts in the United States and the United Kingdom were surveyed across various enterprise organizations in sex crucial sectors: Financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy.