Radware on Thursday reported that 92% of organizations surveyed have significantly or somewhat increased their API usage, with 59% already running most of their applications in the cloud.
And while some 92% believe they have adequate protection for their APIs and 70% believe they have visibility into applications that are processing sensitive data, 62% admit one-third or more of APIs are undocumented.
Radware, which conducted the survey with Enterprise Management Associates, said these undocumented APIs leave organizations vulnerable to cyber threats, such as database exposures, data breaches, and scraping attacks.
“This makes for a large gap in protection, leaving APIs exposed and vulnerable,” said Prakash Sinha, senior director and technology evangelist for application security and delivery at Radware. “The accelerated shift to the cloud is only compounding the problem. Since most cloud-native apps are built using APIs and accessible over the web, unsecured APIs will lead to data breaches. Malicious threats are even more likely and damaging for those APIs that are both undocumented and unsecured.”
Michelle McLean, vice president at Salt Security, said when it comes to cloud-native design, because it relies on new technology stacks, such as containers, Kubernetes, and service mesh, API development, integration and consumption has become a requirement and ultimately creates a larger attack surface. In addition to cloud complexity itself, McLean said the cloud also increases exposure of some assets beyond more well-understood, on premises data center environments.
“Because of this, there has been a significant spike in the number and severity of API attacks with 95% of organizations having experienced an API incident,” McLean said. “This research reinforces the fact that API security is vastly under-prioritized, and the time is now to turn the dial and incorporate adequate solutions as old tools are simply not enough.”
Scott Gerlach, co-founder and CSO at StackHawk, said with more workloads being distributed across clouds and development teams moving to API-driven architectures, having visibility into every endpoint has become a critical piece of security. The recent API-driven breaches at Bumble and Coinbase are just two examples of the criticality of this issue, noted Gerlach.
“Documenting APIs is a great first step in improving your organization’s security posture, and is an opportunity for security and development teams to collaborate,” Gerlach said. “Modern security testing tooling can ingest that documentation to ensure that APIs are being fully-tested for security issues every time a developer checks-in code to keep organizations better protected.”