A new study reveals exactly why the security of application programming interfaces (APIs) has become such a critical issue for the majority of organizations.
Nearly all organizations (97%) have experienced delays in releasing new applications and service enhancements due to concerns regarding the security of their API environments, according to a recent Cloudentity survey of 300 IT decision-makers on issues related to API security. Nearly half (44%) say they have experienced substantial API security issues involving data leakage and the exposure of private information.
"The most surprising thing we found in the report is the pervasiveness of the problem coupled with the inability to address the problem" within organizations, says Nathanael Coffing, CSO and co-founder of Cloudentity.
Factors such as the financial cost associated with API security, fast application delivery time lines, and lack of awareness are hampering organizations' ability to secure API use in their environments, he says.
"Only 2% of respondents are highly confident in their organization's ability to reduce API data security issues like unauthorized access, data privacy, and compliance risks," Coffing notes.
As a result, 93% say they plan to increase their budgets and resources for API security — 64% say they will increase by as much as 15%. The top focus for increased spending includes implementing zero-trust controls, invoking policy as code, and enabling better management of privacy consent, the study found.
Application modernization efforts and digital transformation initiatives have led to an explosion in API use in recent years. APIs enable applications and services to communicate with each other on internal networks, as well as externally. For developers, APIs reduce much of the integration work that would otherwise be necessary to get different applications to talk with each other. In an increasingly online world, almost all organizations use APIs to connect internal applications and data with users and partners. But since many don't pay adequate attention to security, they expose sensitive data and application logic to attackers in the process. Unsurprisingly, APIs have recently become an increasingly high-value target for attackers.
A Salt Security survey conducted earlier this year showed API use within its customer base tripled over the past 12 months, from an average of 28 APIs per organization in July 2020 to 89 in June 2021. Over a six-month period, the vendor observed the per-customer average API call volume rise to 470 million calls in June 2021, up from 195 million calls last December. Over the same period, attempted hostile use of APIs grew from an average of 2.73 million attack calls per month to 12.22 million attack calls per month.
Similar to Cloudentity's survey, Salt Security's study also showed nearly every organization experienced an API security incident over the past 12 months. Eleven percent experienced more than 500 API attacks every month.
Cloudentity's research reveals that 44% of organizations have experienced substantial to significant API authorization issues that involved a privacy breach, data leakage, or other exposure through internal and/or external-facing APIs. Applications today are assembled out of internally developed APIs, partner APIs, and third-party SaaS platform APIs, and more often than not, they provide limited authentication, authorization, and data protection capabilities, Coffing says.
"One of the most pervasive examples is broken object level authorization," Coffing says.
This is a kind of vulnerability in which an application does not correctly verify whether the user performing a request has the required privileges to make that request. OWASP has identified it as one of the top API vulnerabilities because of how prevalent it is within APIs.
"Broken object level authorization vulnerabilities in the past month have exposed tens of millions of user records and their associated personally identifiable information," Coffing says. The vulnerability has caused organizations to violate existing privacy laws such as GDPR and CCPA, he notes.
A Complicated Problem
One of the top contributors to API-related risks is the complexity of component-driven application development. Cloudentity found many organizations have trouble diagnosing or monitoring API security issues because of data lineage gaps. Another common problem is inconsistent policies in place for API security management. Eighty-five percent of the respondents in Cloudentity's survey, for instance, report having a decentralized level of API policy management in their organization.
"APIs are substantially more difficult to address due to their pervasiveness, the advent of distributed apps, and the usage of multiple app platforms for those APIs, such as multicloud, multi-API gateway, and multi-Kubernetes clusters," Coffing says.
Zero trust at the API should be the end goal for any API security program, he says.
"Zero trust means authenticating the service, authenticating the requestor, authenticating the client, and then authorizing and auditing every data element that goes across the wire," Coffing explains.