The fragmented nature of API security ownership
While API security remains a top cybersecurity concern this year, there is still an alarming lack of implementation for most companies, according to Traceable AI.
Companies overlook API security
Companies are struggling with unchecked API sprawl, lack of clarity on who owns API security, and do not baseline behavior as part of their security capabilities.
With insights from more than 100 cybersecurity professionals, the study showed that though 69% of organizations claim to factor APIs into their cybersecurity strategy, 40% of companies do not have dedicated professionals or teams for API security, while 23% of respondents do not know if there is dedicated API security in their organization.
While many organizations (61%) don’t think they have experienced an API attack in the last 12 months, an alarming 36% of respondents are unsure.
Organizations struggle with API sprawl
- 40% of organizations do not have a dedicated API security professional or team.
- API security ownership remains fragmented between different teams, with 38% of respondents claiming the CISO owns it, while 25% claim Development and/or DevOps takes ownership; and 24% of respondents simply don’t know.
- 66% of respondents either struggle with API sprawl, or do not know if their company is managing API sprawl effectively.
- 40% of cybersecurity professionals’ companies don’t have an API security solution, and 29% are unsure if their organization is securing APIs at all.
- Among those who have adopted API security tools, 25% of professionals’ solutions can’t baseline API behavior and identify abnormal activity potentially indicative of an API attack; 50% of respondents were unsure if their API security solution had these capabilities.
“With APIs being a universal attack vector and the cause of some of the biggest data breaches in recent years, it’s very concerning to find out that 40% of organizations do not have a dedicated API security professional or team to tackle this problem, with 23% unsure if they had a team at all. Equally concerning is that 40% of organizations do not have an API security solution in place,” said Richard Bird, CSO at Traceable.
“In the past, hackers had to devise strategies for getting around existing defenses in order to locate data and interfere with systems. Now, they can simply exploit an API and obtain access to sensitive data without even exploiting the other solutions in the security stack. This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy,” concluded Bird.