This is the last of my three guest blogs as part of our collaboration with Cequence. In the first blog post on August 30th, I wrote about how we have seen the level of knowledge of API security increase since our first research on 2019 but more needs to be done to secure API usage in today’s hyper-connected world. In the second blog post on September 13, I noted that despite increasing levels of API security maturity, significant breaches and detected vulnerabilities continue to occur at a rapid rate. In this second blog, I have provided four recent examples of API blunders and the root cause of each.
API security continues to be a hot topic as APIs are now ubiquitous and are the foundation of digital transformation initiatives, cloud journeys and open banking deployments around the world. To continually assess the state of API security, we rely on interviews and surveys with tech professionals as well as the great work of renowned security researchers who are battling test APIs to research. potential vulnerabilities. Together, these data sources inform our opinions on API security and help organizations with recommendations to improve their API security efforts.
Cequence recently commissioned a formative API security survey that gathered responses from 100 technology leaders. The survey looked at the methods used by their organization to strengthen API security, as well as their adoption and use of API specifications. Some key findings from the Cequence survey follow along with this analyst’s perspective on our other API security research.
Survey data point 1
Just over half (51) of technology leaders indicated that they viewed their organization’s adoption of API security best practices as a focused effort, more precisely defined because they implemented testing and API application for some APIs / teams, but not all.
Analyst’s point of view – This finding joins other recent research and highlights that a growing number of tech professionals have now recognized the importance of API security, the need to implement controls and monitoring, and a commitment to reduce the risks to their organizations.
Survey data point 2
When asked what tools are used to assess API security, 31 respondents (31%) indicated that no tools are used. Other responses included 45% Dynamic Testing (DAST), 34% Static Testing (SAST), Runtime Application Security Testing (RAST) 21%, API Security Assessment execution at 18% and enforcement of the API security specifications of execution at 6%.
Analyst’s point of view – In the August 2020 Aite Group research report “API Security: Best Practices for FIs and Fintech and Insurtech Companies”, we noted that only 2 of the 31 companies we surveyed were performing security testing Specific APIs. Cequence’s survey results indicate growing interest in API security testing, but clearly demonstrate that more needs to be done.
Survey data point 3
The survey asked if the respondent’s company had API specifications for APIs developed in-house. Only 24% indicated that specifications are required for all APIs and 54% indicated that their organization has some but not all APIs have documented specifications. Of particular interest is that 13% of respondents indicated that the development of API specifications is only just beginning and 9% indicated that they have no API specifications.
Analyst’s point of view – As we noted earlier, we consider API specifications to be a fundamental part of API security. The specifications define how the API works and how it relates to data sources and other APIs. Developing specifications can help uncover potential gaps in authentication and authorization. Developing specifications can also lead to a threat modeling exercise with security professionals to determine “… so what’s the worst that can happen?” Based on survey responses, this area appears to be an excellent candidate for improvement.
Survey data point 4
API visibility continues to be a key indicator of API security maturity. The survey asked technology leaders how many APIs are used in their organizations and what methods are used to justify their counts. The results were:
Number of APIs:
|1 – 20||38.00%|
|101 – 500||14.00%|
|21 – 50||22.00%|
|51 – 100||20.00%|
Responses of the counting method:
|We don’t keep an inventory – that’s my gut guess||20.00%|
|We manually maintain an inventory of all our APIs||64.00%|
|We use an automated tool to track an inventory of our APIs||16.00%|
Analyst’s point of view – These numbers do not match our previous research on API visibility and appear to be extremely low. While the Cequence survey included organizations outside of financial services, we know API usage is growing rapidly across all industries. The results are either an anomaly or a sign of a persistent lack of visibility of the API – and an increased risk of vulnerabilities or breaches due to poor monitoring. With just 16% of tech leaders reporting that automated tracking tools are used, this is another area for improvement.
I encourage anyone interested in API security to review the full details of the Cequence survey as it provides an excellent overview of the current state of API security practices in 100 organizations.
And a reminder that I will be presenting further research and recommendations on API security with Cequence Co-Founder and CTO Shreyans Mehta in the “Shielding Right to Strengthen Shift Left: Here’s How” webinar on October 6th.
Joseph has been a cybersecurity analyst since 2019. He has worked in the information security field for over 45 years. His previous roles include as operations officer for the US intelligence community, CISO at large publicly traded companies, and cybersecurity strategy consultant for Accenture and PwC. He has worked in 115 countries and has a keen interest in disruptive and emerging cybersecurity technologies.
The article “The Analyst Perspective – Observations from Cequence’s 2021’s API Specification Survey” appeared first on Cequence.
*** This is a syndicated Security Bloggers Network blog from Cequence written by Joseph Krull. Read the original post at: https://www.cequence.ai/blog/the-analyst-perspective-observations-from-cequences-2021-api-specification-survey/