Rapid API Growth Increases Cyber Security Risks

This is the conclusion of a survey of 235 IT and cyber security experts. APIs have long been recognised as one of the cornerstones of the digital economy. Recent figures show that the majority of all internet traffic is now handled via APIs.

Advanced API security: in short supply

The ubiquity of APIs means that they have become one of the most popular gateways for cyberattacks. In the Fastly survey, 84 percent of respondents admitted that they do not have advanced API security in place.

The lack of measures against API misuse occurs even though the vast majority of decision makers are aware that there are problems in this regard. 95 percent of companies surveyed said they had experienced problems with API security in the last twelve months. More than three quarters have delayed the launch or integration of a new application due to API security concerns. In addition, 79 percent said they place a high or very high importance on API security. When asked why none of this had been implemented, “insufficient budget” and “lack of expertise” were the most frequently cited reasons.

“This is surprising considering that the operational costs and reputational damage resulting from a security breach far outweigh the cost of deploying a consolidated web application and API security solution,” says JayColey, Senior Security Architect at Fastly.

Credential stuffing and misuse of business logic

Credential stuffing, business logic abuse and DDoS attacks are just a few of the malicious automated bot attacks used to take over accounts and commit identity theft and fraud. Readily available scripts and tools make it easier than ever to orchestrate API attacks, and traditional bot defense techniques struggle to detect these potentially devastating attacks.

When asked what features of an API security platform would be most important to their organization, respondents cited the identification of APIs that expose personal or sensitive data as the top concern. Other key concerns were the identification of all APIs, including undocumented ones, as well as logging and monitoring. However, due to the high number of reports from traditional security solutions, companies are finding it increasingly difficult to detect API attacks.

AI security solutions unused

One solution to the complexity of the API landscape could be a new generation of AI-powered cybersecurity systems. However, Fastly found that currently there is very little enthusiasm for these new systems. Only 14 percent of companies surveyed consider the use of AI technologies in API security a priority. Nevertheless, 58 percent expect generative AI to have a “large or very large” impact on API security in a time frame of around two to three years.

One worrying aspect of the survey is that highly regulated sectors that handle sensitive data are among the worst offenders of API inactivity. Only 80 percent of respondents in the financial services sector rate API security as highly or very highly important. This compares to 89 percent in the wholesale, retail and e-commerce sectors.

Extent of the threat underestimated

One interesting finding is the discrepancy between attitudes within company hierarchies. 91% of C-suite and compliance experts rate API security as “high or very high” in importance, but only 74% of internal security experts share this view. This could indicate that security experts underestimate the extent of the threat – or that they are confronted with a greater number of threats on a daily basis.