Phishing, misconfigurations and missing patches are top concerns among security leaders, but they also say their organizations are letting observability tools gather rust.
Content delivery, security and cloud services company Akamai, in partnership with U.S. cybersecurity training company SANS Institute, released on Tuesday the results of a new study examining the most worrisome security risks related to APIs. The 2023 SANS Survey on API Security found that the top risk is phishing attacks.
In addition, the 2023 global survey, which polled 231 application security professionals, found that fewer than 50% of respondents have API security testing tools in place and only 29% have API discovery tools. It also found that only 29% of respondents use the API security controls that are already included in DDoS and load balancing services.
Jump to:
When asked what they perceived as the top API security risk, respondents most often said:
Figure A
Akamai reported earlier this year that 2022 broke records for application and application programming interface attacks. Part of the problem is the sheer number of APIs in use by organizations, which is an issue that fits nicely into the “you don’t know what you don’t know” risk bucket.
John Pescatore, director of emerging security trends at SANS and author of the 2023 study, pointed out that the proliferation of APIs is emblematic of how complexity is the enemy of security. He also explained how the very nature of distributed applications increases the threat surface for attackers and the likelihood of vulnerabilities being part of production code.
In the new study, Akamai cites a report by 451 Research that states the average enterprise has more than 15,000 APIs in use. To give a sense of the volume of attacks, Akamai earlier this year reported that on one day, Oct. 8, 2022, there were 161 million API attacks worldwide.
SEE: The C-suite considers API security a top concern (TechRepublic)
According to the report, the survey’s respondents said they planned to close API security gaps in the future with:
Figure B
The Akamai study suggests that respondents are giving too little weight to the risk of misconfigured applications and too much to zero-day risks, according to Rupesh Chokshi, general manager of application security at Akamai.
“An organization’s API security plan should include building secure APIs and configuring applications correctly. At the same time, organizations should understand zero-day risks, such as how APIs become vulnerable and at risk of exploitation. The distinction is important because it shows that robust API security needs to give significant weight to every aspect of the API lifecycle; otherwise, vulnerabilities will be missed,” said Chokshi.
Ory Segal, chief technology officer of Palo Alto Networks Prisma Cloud, concurred that misconfiguration in modern, cloud-native applications poses a substantial risk that is frequently underplayed by organizations.
“Unfortunately, many focus their attention towards zero-day risks and known vulnerabilities in open source software packages (i.e., common vulnerabilities and exposures). However, statistics and reality show that attackers are more likely to exploit application layer misconfigurations, exposing organizations to significant risk and potential data breaches — just look at the number of recent breaches involving publicly open cloud storage buckets.”
Among Segal’s recommendations:
Pescatore wrote that an organization’s API security plan should encompass:
Sixty-two percent of respondents to the survey said they use web application firewalls as part of API risk mitigation, and 79% of survey takers reported training development staff on application security. Also, 57% of respondents reported API inventory accuracy of between 25% and 75%.
SEE: Gigamon report shines light on deep observability (TechRepublic)
“Security hygiene controls like strong authentication, asset inventory, vulnerability management and change control need to address API security issues,” Pescatore wrote. “Prevention and detection need to be upgraded to deal with API-centric attacks, and infrastructure services (such as content delivery networks and denial of service filtering) need to be put to work as well.”