SAN JOSE, Calif., Sept. 15, 2022 (GLOBE NEWSWIRE) — Noname Security, essentially the most full, proactive strategy to API safety, in the present day introduced the findings from its API safety report, “The API Security Disconnect – API Security Trends in 2022.” The report reveals a quickly rising variety of API safety incidents regarding lack of API visibility, and a degree of misplaced confidence in current controls.
Over three-quarters (76%) of respondents have suffered an API safety incident within the final 12 months, primarily triggered by Dormant/Zombie APIs, Authorization Vulnerabilities, and Web Application Firewalls.
Furthermore, almost three-quarters (74%) of cybersecurity professionals shouldn’t have an entire API stock or know which APIs return delicate information.
This implies that almost all of respondents will wrestle to repair API safety threats – and never know which to prioritize – if they don’t have real-time granular visibility into the APIs of their ecosystems.
Other key findings embody:
- 71% have been assured and glad that they have been receiving ample API safety.
- Less than half (48%) of respondents have visibility into the safety posture of Active APIs.
- Only 11% of respondents check APIs for indicators of abuse in real-time.
- 39% check lower than as soon as per day and as much as as soon as per week
- 67% of respondents are assured that their DAST and SAST instruments are able to testing APIs.
Shay Levi, Noname Security CTO and co-founder, feedback on the findings: “Our research has exposed a disconnect between the high level of incidents, low levels of visibility, effective monitoring and testing of the API environment, and misplaced confidence that current tools are preventing attacks. This emphasizes the need for further education by Security, AppSec, and development teams around the realities of API security testing.”
Legacy-based sectors wrestle to maintain tempo with API safety testing
Critical infrastructure sectors resembling manufacturing and vitality & utilities, which generally depend on legacy techniques, ranked unfavorably when measured on quite a lot of metrics. They ranked worst on the proportion of API safety incidents within the final 12 months, with 79% of producing and 78% of vitality & utilities respondents saying that they had skilled incidents, of which they have been conscious.
Energy & utilities corporations have been additionally the least prone to have an entire stock of APIs and know which return delicate information, with simply 19% assured about this situation. Manufacturing organizations discovered it most tough to scale API safety options, with simply 30% saying they discovered it straightforward. Furthermore, real-time testing was at its lowest in vitality & utilities (7%), whereas manufacturing and vitality & utilities have been almost certainly to conduct API safety testing much less steadily than as soon as per thirty days, with 20% and 21% doing this, respectively.
The relative lack of testing in these vital infrastructure sectors correlates with the variety of API safety incidents they’ve suffered within the final 12 months. This emphasizes the necessity for requirements to be raised in sectors the place private identifiable data and mental property can doubtlessly be seized by unhealthy actors, not to mention the place bodily infrastructure and very important providers are in danger.
US and UK differ over API visibility and reporting
There have been quite a lot of variations in monitoring and visibility of APIs between the 2 international locations surveyed, particularly with regards to reporting in real-time. More UK respondents (28%) have full API inventories and know which return delicate information, in comparison with the US (24%).
Furthermore, an elevated variety of respondents within the US (44%) had visibility into their full stock of APIs, however weren’t conscious of these returning delicate information, in comparison with 38% within the UK. This might recommend that US organizations are extra involved with API-driven development than securing current APIs.
Disparity in API safety strategy throughout job roles
Responses from Application Security (AppSec) groups seem to vary significantly from different job capabilities surveyed. Compared to 81% of CISOs saying that they’ve skilled an API safety incident, solely 53% of AppSec professionals mentioned that they had. Additionally, 58% of CIOs mentioned it was straightforward to scale API safety options, whereas almost a 3rd (29%) of AppSec respondents admitted this was tough.
In phrases of testing, solely 7% of AppSec professionals examined in real-time for indicators of abuse, whereas 25% said that they check for API safety vulnerabilities lower than as soon as per week and as much as as soon as per thirty days.
“The ongoing prioritization of digital transformation initiatives is introducing an increased number of applications – and therefore APIs – into organizations’ ecosystems,” added Levi. “The perceived gaps around API security testing between different job functions begs the question as to whether there is a lack of consistency across organizations of what is happening on the frontline. This needs to be addressed urgently; application development needs to adopt a ‘shift left’ approach to security testing, so that testing is undertaken pre-production and teams need to be educated about the benefits of doing this.
“We’ve seen from the likes of Gartner that APIs are quickly becoming the most popular attack vector. Our research demonstrates that if businesses don’t address the security vulnerabilities and widening attack surface presented by an increasing number of APIs, their ability to innovate and offer end-user-friendly solutions will be stifled by potentially debilitating cyber-attacks,” concluded Levi.
Noname Security commissioned unbiased analysis group, Opinion Matters, to undertake the survey in July 2022. 600 senior cybersecurity professionals within the US and UK have been surveyed from throughout a wide range of enterprise organizations in six key vertical market sectors: monetary providers, retail & eCommerce, healthcare, authorities & public sector, manufacturing, and vitality & utilities.
If you have an interest in studying the total outcomes from Noname Security’s “The API Security Disconnect – API Security Trends in 2022” report, please click on right here.
About Noname Security
Noname Security is the one firm taking an entire, proactive strategy to API Security. Noname works with 20% of the Fortune 500 and covers the whole API safety scope throughout three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and workplaces in Tel Aviv and Amsterdam.
Media Contact
Stephanie Schlegel
Offleash PR for Noname Security
[email protected]
