API usage up at most organizations, but large amounts go undocumented | #cloudsecurity | #cybersecurity | #infosecurity | #hacker

The vast majority of organizations have increased their usage of APIs, but many do not document all of them, according to a Radware survey. Pictured: A visitor uses a tablet computer next to a cloud computing and technology symbol at the Deutsche Telekom stand at the 2013 CeBIT technology trade fair on March 5, 2013, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Radware on Thursday reported that 92% of organizations surveyed have significantly or somewhat increased their API usage, with 59% already running most of their applications in the cloud.

And while some 92% believe they have adequate protection for their APIs and 70% believe they have visibility into applications that are processing sensitive data, 62% admit one-third or more of APIs are undocumented.

Radware, which conducted the survey with Enterprise Management Associates, said these undocumented APIs leave organizations vulnerable to cyber threats, such as database exposures, data breaches, and scraping attacks.

“This makes for a large gap in protection, leaving APIs exposed and vulnerable,” said Prakash Sinha, senior director and technology evangelist for application security and delivery at Radware. “The accelerated shift to the cloud is only compounding the problem. Since most cloud-native apps are built using APIs and accessible over the web, unsecured APIs will lead to data breaches. Malicious threats are even more likely and damaging for those APIs that are both undocumented and unsecured.”

Michelle McLean, vice president at Salt Security, said when it comes to cloud-native design, because it relies on new technology stacks, such as containers, Kubernetes, and service mesh, API development, integration and consumption has become a requirement and ultimately creates a larger attack surface.  In addition to cloud complexity itself, McLean said the cloud also increases exposure of some assets beyond more well-understood, on premises data center environments.

“Because of this, there has been a significant spike in the number and severity of API attacks with 95% of organizations having experienced an API incident,” McLean said. “This research reinforces the fact that API security is vastly under-prioritized, and the time is now to turn the dial and incorporate adequate solutions as old tools are simply not enough.”

Scott Gerlach, co-founder and CSO at StackHawk, said with more workloads being distributed across clouds and development teams moving to API-driven architectures, having visibility into every endpoint has become a critical piece of security. The recent API-driven breaches at Bumble and Coinbase are just two examples of the criticality of this issue, noted Gerlach.

“Documenting APIs is a great first step in improving your organization’s security posture, and is an opportunity for security and development teams to collaborate,” Gerlach said. “Modern security testing tooling can ingest that documentation to ensure that APIs are being fully-tested for security issues every time a developer checks-in code to keep organizations better protected.”

Original Source link

Leave a Reply

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.