We’ve reached a tipping point where APIs have become a critical enabler of digital transformation for businesses across all industries—from Amazon.com to Burberry to First Data. Yet keeping APIs secure is often an afterthought for enterprise security teams. The recent Cambridge Analytica scandal at Facebook highlights this unsettling reality. The social media giant’s lax privacy policies and leaky APIs prompted Facebook to suspend hundreds of apps and tighten its API policies.
It’s a major wake-up call for enterprise security teams everywhere. If Facebook’s world-class security apparatus can overlook a major vulnerability in one of their APIs, any company can. For enterprising hackers, there are soft targets as far as the eye can see with APIs.
To get a better read on the most immediate concerns and threats surrounding APIs, we surveyed 100 security and IT professionals at IDENTIFY 2018 in San Francisco and New York.
Here are some of the key findings and takeaways from the survey:
API sprawl is a growing issue: 25% of respondents say their company has over 1,000 APIs, while 35% report having between 400–1,000 APIs. This suggests that APIs are continuing to expand at an accelerated rate. A January 2018 survey found that companies manage 363 different APIs on average, with 39.2% managing between 400–1,000 APIs and 7.2% managing over 1,000 APIs.
Lack of visibility into APIs is all too common: 45% of respondents aren’t confident in their security organization's ability to detect whether a bad actor is accessing their APIs. In fact, 51% aren't even confident their security team knows about all of the APIs that exist in the organization. This illustrates one of the greatest obstacles to effective API security today—the people trusted with securing APIs don’t always know where they are. As the saying goes: You can’t protect what you can’t see.
API breaches are often a black box: 30% of respondents don’t know whether their organization has experienced any breaches, leaks or other security incidents involving APIs. It’s no wonder API security is overlooked so often when it’s talked about so seldomly. To make it a priority, security teams need to find more and better ways to communicate the urgency of API security to organizational leadership.
Nation-states could weaponize APIs next: 75% of respondents believe we will see nation-states targeting or exploiting APIs in the next year. As the API economy expands to every corner of modern business and society, the arrival of sophisticated state actors is inevitable. The question security teams need to ask is whether they’re ready for it or not.
Watch your back, Wall Street and Washington: 40% of respondents believe financial services companies will become the most heavily targeted industry for API attacks in the coming year. Government came in second with 20% of the vote. Looking ahead to 2019, expect more sophisticated attacks on APIs, especially in industries where the data moving between applications and services is extremely valuable.
“Now is not the time to ignore cyber security threats targeting APIs,“ said Jason Bonds, vice president, Intelligence at Ping Identity. “We’re quickly moving from a world where the average enterprise manages a handful of APIs and web services to one where they are contending with thousands of APIs and microservices. And, these are spanning multiple infrastructure providers and regions around the globe. To succeed, enterprises need to move beyond basic API administration and create a more holistic API cyber security strategy that connects across the entire organization.”