The Alarming Rise of Unknown API Risks: Unveiling the Invisible Threats
Introduction
In the rapidly evolving digital landscape, organizations are leveraging cloud applications to unleash a wealth of capabilities. However, the proliferation of these cloud applications brings about unknown risks that organizations might not fully comprehend. A recently published report by Traceable, titled “2023 State of API Security: Global Findings,” sheds light on the nature of these unknown risks. The study, which gathered insights from 1,629 respondents across over 100 countries and six major industries, paints a troubling picture of rising breaches and a lack of awareness regarding API security.
Disturbing Findings
According to the report, a staggering 74% of organizations have experienced at least three API-related data breaches in the past two years, signaling a troubling trend. Simultaneously, 88% of organizations deploy more than 2,500 cloud applications, demonstrating a high degree of digital dependency and connectivity. This expansive digital landscape, while brimming with potential, also presents an extensive attack surface that organizations must consider.
The Issue of Unknown Risk
The report highlights the core problem of unknown risk. Surprisingly, despite the increase in API breaches, only 40% of organizations test a fraction of their APIs for vulnerabilities. This lack of comprehensive testing results in a mere 26% confidence level in preventing attacks, with just 21% of API attacks being detectable and containable. The fundamental challenge lies in the fact that many organizations remain unaware of the full extent of API risk. Only 27% of organizations prioritize having a security risk profile for every API, indicating a potential oversight in evaluating risk.
When asked about the factors hindering the prioritization of API security, 49% of organizations cited management underestimating the risk, while 37% struggle with understanding threat-reduction measures. These findings underscore the insufficient attention and understanding of API risks within organizations, potentially leaving them vulnerable to attacks.
Expanding the Attack Surface
The proliferation of APIs significantly broadens the range of potential vulnerabilities and attack vectors. The report reveals that 58% of respondents strongly agree or agree that APIs inherently expand the attack surface across all tech layers. Several key factors contribute to this expansion:
Sheer Volume of APIs
Organizations utilize over 2,500 cloud applications and manage thousands of APIs. This extensive API landscape goes beyond internally developed APIs, as organizations frequently integrate third-party APIs to enhance functionalities. Each integration represents a new potential attack vector that demands meticulous scrutiny. The sheer volume of APIs amplifies the attack surface and necessitates comprehensive security measures.
Diversity in API Types
The digital tapestry of APIs spans a wide range of types, including open-to-partner, third-party, and internal APIs. Each API type presents unique risk profiles. Public APIs, accessible to a broad audience, may be susceptible to a wide range of attack vectors, while internal APIs, often perceived as secure, could be vulnerable to insider threats. The report reveals that 58% of respondents acknowledge that APIs notably expand the attack surface across the entire tech stack. This diversity in API types further complicates the security landscape, demanding a nuanced approach to risk evaluation and mitigation.
Varied Perceptions about API Risk
The industry’s perception of API-related risk is widely divergent. When asked about the importance of having a security risk profile for every API, responses vary across the spectrum. While 52% of respondents recognize the necessity of prioritizing API security profiling, an almost equivalent 47% perceive it as low to moderate in importance. Most concerning are the eight percent who view it as negligible. This scattered stance underscores the inconsistent understanding and acknowledgment of API risk within the industry, exposing potential vulnerabilities in organizations’ digital frameworks.
Unknown Risk and the Expanding Attack Surface
The notion of unknown risk is intricately linked to the expanding API landscape. With only 40% of organizations intermittently testing their APIs for vulnerabilities, many potential threats go unnoticed. Shockingly, the report reveals that only 21% of API-related attacks are detectable and containable, indicating that a majority of attackers exploit unknown risks. While 27% of organizations prioritize API security profiling, a significant number remain unaware of the hidden threats lurking in their digital infrastructures.
Interpreting the Unknown
The unknown-risk problem goes beyond the tangible threats faced by APIs; it also encompasses the intangible barriers within organizations that prevent them from recognizing and effectively addressing these threats. There are two fundamental challenges: raising organizations’ awareness of potential risks and equipping them with the necessary tools, knowledge, and resources to mitigate these risks effectively. As APIs continue to play an increasingly vital role in organizational infrastructures, the associated unknown risks become a silent threat. The nexus between volume, diversity, and infrequent risk evaluation exposes organizations to vulnerabilities.
Author Background
Richard Bird, the Chief Security Officer at Traceable and the author of the report, brings a wealth of experience to the topic of cybersecurity. With his extensive background as a C-level executive in corporate and start-up spheres, Bird is globally renowned for his expertise in cybersecurity, data privacy, identity, and zero trust. As a Senior Fellow at the CyberTheory Zero Trust Institute and a member of the Forbes Tech Council, Bird has been featured in top media outlets such as the Wall Street Journal, CNBC, and CNN.
In conclusion, the rise of unknown API risks is a pressing concern for organizations as they navigate the vast digital landscape. It is crucial for organizations to prioritize API security and thoroughly evaluate the risks associated with their API frameworks. Additionally, understanding the expanding attack surface and the varied nature of API risks is essential to implementing effective mitigation strategies. By shedding light on these invisible threats and promoting comprehensive risk assessment, organizations can better protect themselves in an interconnected world.
<< photo by Jigar Maru >>
The image is for illustrative purposes only and does not depict the actual situation.
