New research confirms the need for end-to-end API security
Until just a few years ago, web applications were the dominant platform for all things digital, and APIs were tools used to solve development problems. Driven by the ubiquity of mobile devices, cloud adoption, and the move towards agile and more iterative microservices-based development methodologies, APIs are now the connective tissue of everything we do digitally. The apps we use on our devices for work and pleasure, our favorite shopping, money management, travel website, and even the cars we drive all use APIs heavily.
Designed for machine-to-machine communications and including the desired function and payload, developers have come to love APIs for their ability to quickly connect application elements and cloud services to create engaging user experiences. Attackers, who are developers at heart, love them for the same reasons, but with malicious end goals in mind. To dig deeper into the details of the explosive use of APIs, the security challenges they pose, and how best to address those challenges, Cequence Security recently partnered with ESG to conduct a survey of 366 IT professionals and cybersecurity.
Cloud Drive containers and API growth
The survey found that over the next two years, organizations using APIs uniquely for their web and application development will almost triple and 41% will use APIs for more of their development, nearly double that of today. Factors driving the use of APIs include the move towards iterative and modular application development methodologies in which APIs connect different components together. As proof, 71% of respondents said that in two years, at least half of their applications will be based on microservices, a significant increase from the current 39%.
Validating the trend of deploying applications where it makes the most sense, cloud vs data center vs hybrid, 35% of organizations said that 30% or more of their applications and websites were currently deployed in the cloud, moving to 67% of organizations. in two years. In summary, the use of microservices-based cloud-native architectures will outpace the growth of cloud-resident applications, which means that many organizations will support hybrid application environments.
API security threats on the rise
Highlighting the challenges security teams face, the survey asked respondents to rank how often they had seen thirteen different types of attacks in the past year and no attack was seen more frequently. only 34%. Each of the thirteen attack types can be executed against an API more easily than a web application, a fact that further reinforces why attackers love APIs. Listed attacks are often used collectively with one attack as a precursor to a second or third attack. As an example, an attack against misconfigured APIs (#7 on the list) may have been an exploit against misconfigured authentication or a BOLA attack, ranked #1 on the list of top 10 API security of OWASP. The results of the BOLA attack could then be used in credential stuffing, account takeovers, and the creation of fake accounts – all listed in the OWASP list of automated attacks.
The relatively tight clustering of attacks found confirms the top challenge organizations face when it comes to API protection: 41% of respondents consider keeping pace with the changing API threat landscape to be their biggest challenge. While the main challenge here is protection-focused, the remaining challenges are more process-focused and show how APIs were developed and deployed. In the past, APIs were less widely used and developers had more freedom in where and when to deploy. In many cases, APIs were used internally, which meant less attention to security. Today, APIs are at the heart of most organizations’ digital footprint, but many of the past policies and procedures remain in place. This premise is supported by the need to apply more rigor to some of the other top challenges listed, such as managing sensitive data (39%), maintaining accurate API inventory (37%), and adopting API specification frameworks (35%), which improves coding quality, consistency, and security. Each of these challenges, if left unchecked, exposes organizations to data loss, compliance breaches, and overall business disruption.
Gaps remain throughout the API security lifecycle
The current trajectory of API adoption and all that surrounds it is not that different from past technology adoptions, with some organizations being much further along in the API lifecycle than others. Generally speaking, all organizations will begin their journey in one of the five phases listed below.
In some organizations, the journey starts in development as part of a DevOps effort, with an API testing tool. In other organizations, the security team is responsible for responding to the increase in API attacks. The varied starting points can help shed light on the wide range of tools respondents used to protect their APIs. The list included firewalls, WAFs and IPS as well as API security products. The suite of tools highlights the nascent state of API security – with the survey confirming that no offering provides effective coverage for visibility, analysis, threat detection, mitigation and of testing that an ideal solution might provide. Respondents said their existing tools were seriously ineffective, with less than 45% saying their tools were completely effective – a failing grade by most people. Although the question was not specifically asked, one could argue that the wide range of tools, mostly all standalone and only dealing with one piece of the puzzle, may be one of the reasons for the lack of efficiency. .
An opportunity for consolidation
Organizations reported using a variety of tools to discover and secure their APIs, noting that no one tool meets all the requirements, which may be the source of some of the challenges discussed above. Additionally, of all the tools used to discover and secure APIs, less than half of respondents rated them as fully effective. The disparity of tools introduces the possibility of a unified or consolidated approach to API security. The survey points to a Consolidated Web and API Framework (WAAP) as an approach, but with an emphasis on API security. An alternative approach is to focus on the five phases of an API’s security lifecycle and seek a unified solution to meet the requirements for discovery, tracking, risk assessment, threat detection, and prevention. For additional insight into the API security challenges your peers are facing and how they are working to address them, download the ESG Trends in Modern Application Protection e-book today.
Cequence Security helps customers transform their API security with an end-to-end scalable API protection solution that prevents API threats while tracking and analyzing known and unknown APIs to detect vulnerabilities that help developers to eliminate coding errors. Find out how Cequence is different.
Source: ESG eBook, Trends in modern app protectionMay 2022.
The post New research confirms the need for end-to-end API security appeared first on Cequence.
*** This is a syndicated blog from Cequence’s Security Bloggers Network written by Matt Keil. Read the original post at: https://www.cequence.ai/blog/end-to-end-api-security/