文章來源 / Akamai Official Blog
According to Akamai’s 2024 API Security Impact Study, API abuse is rising at an alarming rate. The survey of more than 1,200 IT and security professionals found that 84% reported experiencing an API security incident in the past 12 months — up from 78% last year. Meanwhile, the effects on organizations are becoming clear, including increasing remediation costs and rising stress levels.
As API incidents rise, organizations struggle with visibility into risk
The increase in API security incidents isn’t surprising. Think of it this way: Like the employees in any company, APIs have a job to do, which is to rapidly exchange data among digital technologies. This job is important: APIs enable customers and partners to get the services they need. But the job is also high-risk because unlike those employees, APIs handle sensitive data with little-to-no oversight.
Many APIs live in the shadows because they were created unbeknownst to an organization’s central IT department — and they frequently go undetected by traditional security tools. Security teams often lack visibility into the risks of even the APIs that they can account for.
You can’t protect what you can’t see
The 2024 API Security Impact Study reveals that only 27% of respondents who believe they have a full API inventory know which of their APIs return sensitive data — down from 40% last year. Moreover, there is a disconnect between roles: Although 43% of the CIOs surveyed believe they know which APIs return sensitive data, only 17% of CISOs share that view.
You can’t protect what you can’t see. And this lack of visibility is troubling when you consider that:
108 billion API attacks were recorded from January 2023 through June 2024, according to a recent Akamai State of the Internet (SOTI) report
Just one compromised API can lead to significant data theft, resulting in revenue damage and regulatory fines
As enterprises experience API threats, the impacts materialize
Our study’s respondents — from CISOs to AppSec staff — estimated the overall financial impact of API incidents from remediation costs to legal fees. On average, organizations that experienced API security incidents in the past 12 months cited an average cost of US$591,404.
Respondents also shared what they believe are the top impacts of API security incidents.
What can these findings tell us? Any form of attack is bound to cause concern. But there’s a particular kind of stress that comes from dealing with an attack vector that feels unfamiliar. Many organizations are getting up to speed on the intricacies of API risks.
Moreover, the pressure felt in an API attack’s aftermath only escalates when senior leaders ask: How did this happen?
As awareness of API attacks grows, enterprises consider the causes
Thankfully, most security teams are engaged and ramping up their knowledge of how API attacks occur. Most are also aware that commonly used tools for securing APIs are no longer enough. Respondents cited the top causes of API incidents they’ve experienced, and their answers reflected a mix of:
Tools that aren’t designed to see or secure the large portion of API estates that are unmanaged and, therefore, didn’t catch incidents outside their limited view
Vulnerabilities cited in the OWASP Top 10 API Security Risks, such as coding errors made in haste and missing authentication controls
4 areas of focus for organizations seeking to protect APIs
Today’s API threats require strategies and solutions rooted in four key areas:
API discovery
Posture management
Runtime protection
Security testing
API discovery
Increase visibility: Shine a light on the shadows, specifically APIs that often go unmanaged with unchecked access to data. Seek tools with an automated approach to discovering APIs. Analyze APIs for risks and document them in a comprehensive inventory.
Posture management
Bolster posture: Gain clarity on normal versus atypical API behavior, while gaining visibility into common alert types, which enables organizations to proactively detect signals of an attack. Use the insights to reduce risk, set priorities, and strengthen API security strategy.
Runtime protection
See and secure in runtime: Integrate a comprehensive API security solution with an existing security stack (e.g., with web application firewalls or web application and API security tools), which enables users to spot high-risk behavior and block suspicious traffic before it can access critical resources.
Security testing
Test early and continuously: Adopt a shift-left approach that brings security testing into an API’s development stages. Test whether APIs are coded correctly to perform their intended function, whether they’re exposed to risk, and whether they’re vulnerable to common and emerging attack methods.
Final thoughts: Feeling the impact and getting ready to act
Think of the data in this study not in terms of ah-ha moments or discrepancies, but as starting points for an important conversation. As API security incidents increase, the distress felt by CISOs and their teams is palpable. The scrutiny of business leaders as they look to security teams to protect against API attacks can be stressful for everyone.
Make sure that your teams are continuously educated on API security. Gain the insights you need by reading this important new report.
Opmerkingen