Report: APIs Are a Serious Vulnerability

A recent report from Neosec has highlighted just how severe the disconnect is between the perceived API security practices and the reality of security challenges in organizations. The report—co-sponsored with Enterprise Management Associates (EMA) and entitled “API Security: Debunking the Myths”—has revealed that weaknesses caused when organizations focus more on external APIs and neglect authenticated B2B APIs create a false sense of security. This weakness causes organizations to lack the ability to discover and document all APIs in use, leaving them vulnerable to attacks.

EMA’s research indicates that nearly all respondents expose applications to the internet via application programming interfaces. Because 98.3% are experiencing increases in their usage, this is a critical security weakness. The report also shows that they contain sensitive data, with 80.8% of respondents saying that the data was personally identifiable information. However, 40.6% of organizations have less than half of their known APIs documented, and 25.3% have no visibility into which applications are processing sensitive data.

Gartner has already identified this issue as the most significant attack vector for 2022, and that trend is expected to continue into 2023. With weaknesses like those in Neosec’s report, we’ll likely see more serious attacks with far-reaching consequences. The ease of application programming interface implementation is a tremendous benefit for companies, but organizations need to be aware of the downfalls.

See also: APIs, Unlike Diamonds, Sometimes Are Not Forever

Many organizations aren’t acting fast enough to close loopholes

While 97.4% of respondents have a plan to protect their APIs, 52.7% of organizations plan to initiate a project to execute the plan this year, indicating that APIs remain unprotected today. The report suggests that a modern API security solution should be able to discover and document all APIs in use, monitor internal machine-to-machine APIs for misuse, and have threat-hunting abilities.

However, Neosec emphasizes the importance of compiling a comprehensive inventory of APIs and having visibility into the traffic within each of them to protect data and business processes from abuse and theft. This would help remove these security vulnerabilities and allow companies to take full advantage of application programming interface benefits.