Although APIs are essential to many operations and widely used, a lack of prioritization and understanding is leading us toward a growing API security crisis, according to a report from Traceable AI and the Ponemon Institute.
The urgency of API security
Over the past two years, 60% of organizations have experienced at least one API-related breach. 74% of them have experienced three or more incidents, revealing a landscape of unrelenting threats, and 23% have suffered six or more breaches.
Alongside fraud and known attacks, DDoS (38%) emerges as the leading method of API breaches. Additionally, 58% of respondents believe that APIs significantly expand the attack surface for organizations.
38% can discern complex context between API activity, user behaviors, and data flow. Additionally, 57% of respondents believe that traditional security solutions, including web application firewalls, cannot effectively distinguish genuine API activity from fraudulent activity.
While 61% of respondents anticipate an increase in API risks over the next two years, organizations also face challenges such as API proliferation (48%) and maintaining accurate inventory (39 %).
Faced with an average of 127 third-party API connections, 33% express confidence in managing these external threats. This situation is exacerbated by uncertainties around the volume of data transmitted through their APIs, highlighting an urgent need for advanced breach detection solutions.
- 59% of respondents agree that APIs are very important to the digital transformation of their organization. However, despite this, 43% of respondents admitted to not prioritizing API security.
- 60% of respondents say their organization has suffered at least one data breach caused by API exploitation.
- Only 39% of APIs are continually tested for vulnerabilities.
- As a result, organizations are only able to prevent on average 26% of attacks and only 20% of API attacks can be effectively detected and contained.
“At a time when digital ecosystems are intrinsically linked to our operational fabric, this report highlights the iceberg hidden beneath the API landscape. It is alarming that the majority of companies are navigating these dangerous waters with a significant blind spot, unprepared and underestimating the very real threats associated with APIs,” said Richard BirdCSO of Traceable.
“As a security community, we must address this glaring disconnect, prioritizing API security as a cornerstone of our cyber defense strategy. It’s time for API security to move from the server room to the boardroom. Only in this way can we hope to stay ahead of the evolving threat landscape,” Bird concluded.