The rapidly evolving digital landscape has given organizations a wealth of capabilities, largely due to the proliferation of cloud applications. Yet, with this boon comes a potential bane: unknown risks, which organizations might not fully appreciate or even recognize. A deeper dive into the data from Traceable’s “2023 State of API Security: Global Findings” report provides profound insights into the nature of these unknown risks.
This study gathered insights from 1,629 respondents across over 100 countries and six major industries. And the data is alarming: 74% of organizations have encountered at least three API-related data breaches in the past two years. This serves as a wake-up call highlighting a troubling trend of rising breaches. Simultaneously, 88% of organizations deploy more than 2,500 cloud applications, suggesting a high level of digital dependency and connectivity. Such an extensive web of digital touchpoints inevitably broadens the attack surface.
This broad digital landscape beckons with vast potential, but no one should underestimate the extensive attack surface it presents.
Decoding the Unknown Risks
The key problem that stands out in the study’s findings is the issue of unknown risk. Despite the rise in API breaches, 40% of organizations continually test only a fraction of their APIs for vulnerabilities. This potential oversight leads to a confidence level of just 26% in preventing attacks, while a mere 21% of API attacks are detectable and containable.
The core challenge is that many organizations remain in the dark about the extent of API risk. Surprisingly, only 27% of organizations place a very high priority on having a security risk profile for every API, underscoring a potential oversight in risk evaluation. When questioned about the factors hindering prioritizing API security, 49% cited management underestimating the risk, while 37% struggled with understanding threat-reduction measures.
APIs: Expanding the Attack Surface
The proliferation of APIs significantly expands the range of potential vulnerabilities and attack vectors. According to the study, 58% of respondents either strongly agree or agree that APIs invariably expand the attack surface across all tech layers. This is critical for several reasons:
Sheer volume of APIs: Consider the numbers — 88% of organizations use more than 2,500 cloud applications and are managing thousands of APIs. This isn’t restricted to APIs developed internally. Organizations routinely integrate third-party APIs to expand functionalities, and each integration represents a new potential attack vector demanding meticulous scrutiny.
Diversity in API types: It’s a complex digital tapestry out there, with a gamut of open-to-partner, third-party, and other API types. The risk profiles of these APIs can be varied. Public APIs, accessible to a broad audience, could be prone to a wide range of attack vectors, while internal APIs, often perceived as secure, might be vulnerable to insider threats. Highlighting this complexity, 58% of study participants concur that APIs unquestionably amplify the attack surface across the entire tech stack.
Varied perceptions about API risk: The industry’s perception of API-related risk varies greatly. When asked about the importance of having a security risk profile for every API, responses are spread across the spectrum. While 52% of respondents recognize the necessity of prioritizing this, an almost equivalent 47% perceive it as low to moderate in importance. Most concerning are the eight percent who view it as negligible. This scattered stance underscores the industry’s inconsistent understanding and acknowledgment of API risk, signaling a potential chink in many organizations’ digital armor.
Unknown risk and the expanding attack surface: The notion of unknown risk is intrinsically tied to the expanding API landscape. With 40% of organizations only intermittently testing their APIs for vulnerabilities, many potential threats remain under the radar. The data underlines the gravity: Only 21% of API-related attacks are detectable and containable, suggesting that a majority of attackers capitalize on unknown risk. While 27% assign topmost priority to API security profiling, a significant number potentially remain unaware of the hidden threats lurking in their digital frameworks.
Interpreting the Unknown
The essence of the unknown-risk problem is not just about the tangible threats that APIs might face but also about the intangible barriers within organizations that prevent them from recognizing and addressing these threats effectively. It’s a two-fold challenge: one, making organizations aware of the potential risks, and two, equipping them with the tools, knowledge, and resources to mitigate these risks.
As the role of APIs in organizational infrastructures continues to grow, the associated unknown risks become an invisible threat. This nexus between volume, diversity, and infrequency of risk evaluation is where many organizations might find their biggest vulnerabilities. It’s not just about managing more APIs; it’s about understanding where the blind spots are and addressing them proactively.
About the Author
Richard Bird serves as the Chief Security Officer at Traceable. With vast experience as a C-level executive in both corporate and start-up spheres, Richard is globally renowned for his expertise in cybersecurity, data privacy, identity, and zero trust. A prolific keynote speaker, he excels in aligning cybersecurity realities with business imperatives. As a Senior Fellow at the CyberTheory Zero Trust Institute and a Forbes Tech Council member, Richard’s insights are often featured in top media, including the Wall Street Journal, CNBC, and CNN.