Study Reveals Security Teams Feel the Impact of Rising API Threats

The increase in API security incidents isn’t surprising. Think of it this way: Like the employees in any company, APIs have a job to do, which is to rapidly exchange data among digital technologies. This job is important: APIs enable customers and partners to get the services they need. But the job is also high-risk because unlike those employees, APIs handle sensitive data with little-to-no oversight. 

Many APIs live in the shadows because they were created unbeknownst to an organization’s central IT department — and they frequently go undetected by traditional security tools. Security teams often lack visibility into the risks of even the APIs that they can account for.

The 2024 API Security Impact Study reveals that only 27% of respondents who believe they have a full API inventory know which of their APIs return sensitive data — down from 40% last year. Moreover, there is a disconnect between roles: Although 43% of the CIOs surveyed believe they know which APIs return sensitive data, only 17% of CISOs share that view.

You can’t protect what you can’t see. And this lack of visibility is troubling when you consider that:

• 108 billion API attacks were recorded from January 2023 through June 2024, according to a recent Akamai State of the Internet (SOTI) report

• Just one compromised API can lead to significant data theft, resulting in revenue damage and regulatory fines

What can these findings tell us? Any form of attack is bound to cause concern. But there’s a particular kind of stress that comes from dealing with an attack vector that feels unfamiliar. Many organizations are getting up to speed on the intricacies of API risks. Moreover, the pressure felt in an API attack’s aftermath only escalates when senior leaders ask: How did this happen?

Thankfully, most security teams are engaged and ramping up their knowledge of how API attacks occur. Most are also aware that commonly used tools for securing APIs are no longer enough. Respondents cited the top causes of API incidents they’ve experienced, and their answers reflected a mix of:

• Tools that aren’t designed to see or secure the large portion of API estates that are unmanaged and, therefore, didn’t catch incidents outside their limited view

• Vulnerabilities cited in the OWASP Top 10 API Security Risks, such as coding errors made in haste and missing authentication controls

Today’s API threats require strategies and solutions rooted in four key areas:

• API discovery

• Posture management

• Runtime protection

• Security testing

Increase visibility: Shine a light on the shadows, specifically APIs that often go unmanaged with unchecked access to data. Seek tools with an automated approach to discovering APIs. Analyze APIs for risks and document them in a comprehensive inventory.

Bolster posture: Gain clarity on normal versus atypical API behavior, while gaining visibility into common alert types, which enables organizations to proactively detect signals of an attack. Use the insights to reduce risk, set priorities, and strengthen API security strategy.

See and secure in runtime: Integrate a comprehensive API security solution with an existing security stack (e.g., with web application firewalls or web application and API security tools), which enables users to spot high-risk behavior and block suspicious traffic before it can access critical resources.