Adopting Comprehensive API Security Falls Behind Need

A notable lack of API security testing tools

The 2023 SANS Survey on API Security found that fewer than 50% of respondents have API security testing tools in place. Even less have API discovery tools (29%). What’s more, the report says that taking advantage of the API security controls that are included in distributed denial-of-service (DDoS) and load balancing services is “an underutilized area”: just 29% of respondents reported using those features.

It’s a worrisome trend, considering the increase in attacks. As Akamai reported in its recent State of the Internet report, Slipping Through the Security Cracks: The Rise of Application and API attacks, 2022 was a record year for application and API attacks. Perhaps the lack of adoption of API tools with comprehensive coverage should come as no surprise, however, considering what respondents to the SANS survey said they believe to be the top security risks to their organization. 

The report, released in July 2023, surveyed 231 respondents, most from the United States. Seventy-eight percent of respondents currently play a role in application security, with another 15% looking toward future involvement.

API risks don’t rank

When asked to rank the top three risks to their organization, respondents cited “Phishing to obtain reusable credentials” most frequently, followed by “Attackers exploiting missing patches” and “Attackers exploiting vulnerable applications/APIs.” Coming in last in the weighted rankings was “Misconfigured servers/services.” It’s clear that, although enterprises understand the risks that APIs can present, they’re not prioritizing investments there.

Multiple security controls and processes

“Discovering, assessing, and mitigating API risks is a complex problem that requires multiple security controls and processes to provide complete coverage,” John Pescatore, director of emerging security trends for the SANS Institute, writes in the report. “Application-level tools already in widespread use may provide partial coverage — API security-specific controls that provide full coverage are not yet in widespread use.”

Understanding how (and how many) APIs are running

The SANS report also suggests that companies are doing a poor job of even understanding how many APIs are running in their environments. More than two-thirds of respondents estimated that the accuracy of their inventory of APIs running in production was below 75%. 

Enterprises have for years struggled to gain an accurate inventory of assets, including networks, computers, and applications. They need to take more care in understanding where (and how many) APIs are running. The report says, “... because vulnerable APIs are becoming the most common access point for attacks, API inventory accuracy should increase and discovery performed more often.” 

Buyers are looking in multiple directions for API security

There was little consensus about acquiring new tools to close some of these API security gaps.  When the respondents were asked what solutions, not currently in use, that their enterprises plan to implement in the next two years, the responses included a wide variety of options: 

• Secure web gateways (14%)
• Dynamic application vulnerability testing (13%)
• Web application firewalls (13%)
• App/API security features within content delivery networks (13%)
• API security testing (12%)
• API discovery (10%)

With buyers seeking so many different solutions for application and API security, vendors — like Akamai — that can offer comprehensive solutions become far more compelling. Enterprises see significant benefits if they can access bot management, web application firewalls, and other requirements from a provider that also boasts a strong services organization covering multiple disciplines.

Extended detection and response technology

What’s more, the emergence of new technology that uses extended detection and response (XDR) to provide visibility into all API activity, determine risk posture, and understand normal and abusive behavior to stop threats presents significant API protection advantages.

Akamai’s recent acquisition of Neosec furthers this trend. Enterprises can now get unprecedented levels of API behavioral analytics by combining the analysis of (a minimum of) 30 days of API activity with the visibility provided by the Akamai content delivery network.

The results of the SANS survey also provide interesting background when examining the release of the new OWASP Top 10 API Security Risks, which added several new risks to its list, including unrestricted resource consumption and unsafe consumption of APIs.

Agreement on frameworks

Speaking of OWASP: The survey did suggest some agreement on the frameworks that security professionals find valuable. More than half the respondents cited the OWASP Top 10 Web Application Security Risks (55%), the MITRE ATT&CK framework (55%), and the OWASP Top 10 API Security Risks (52%)  as methods they use for defining application/API risks. The Cloud Security Alliance (40%) and the Center for Internet Security Critical Security Controls (33%) rounded out the top five spots.

Developer security training remains a priority

The report also found that, in general, enterprises remain focused on providing security training to developers: More than 75% of organizations reported providing security training to development staff . On the flip side, the report also found that more than 70% of respondents reported giving application security training to at least 25% of their security team.

Visibility and defense

Akamai App & API Protector provides a comprehensive app and API solution for web application and firewall protection, bot management, API security, and DDoS protection, giving businesses visibility into threats in their own environment, in addition to strong defenses. It quickly identifies vulnerabilities and mitigates threats across the entire web and API estate — even for the most complex distributed architectures.