Enterprise API Security Survey
Senior security leaders at over 100 large enterprises in the US and Europe share their insights.
API security is a top concern for today’s security leaders
Over the next 24 months, 91% of security leaders will be making API security a priority, while 80% would like to gain more control over their APIs.
This is not surprising given how many APIs companies currently have: 73% of enterprises use more than 50 APIs, and growing.
This is tough to manage, especially when you consider that 4 out of 5 publish APIs for external consumption by partners and clients.
Ultimately, only 1/3 of security leaders think their APIs get the protection they need.
The emergence of the ‘API Security Backbone’
Security leaders have three top priorities for API security: Access Control (63%), Security Testing (53%), and Anomaly Detection and Prevention (43%). On top of these main capabilities, the key enablers for securing APIs are integration with the organization’s existing systems (52%) and gaining visibility into their APIs in the first place (50%).
It is becoming increasingly clear to security leaders that if you want a strong foundation for API security, you need to at least get these three items right. That’s how you form the ‘API Security Backbone.’
API Management is only part of the story
The most widely used technology that supports API security is the API Management (APIM) platform, with 4 out of 5 enterprises using or considering using them. At the same time, most security leaders now recognize that this isn’t enough – only 18% see the APIs managed by the APIM as being the highest risk APIs to protect.
However, while APIM handles Access Control and provides some Runtime Protection as part of the API Gateway, it generally uses basic policies to enforce the schema and lacks critical security capabilities: It doesn’t cover the API business logic and functionality, thus failing to stop API abuse. Moreover, it provides no support for security testing. With only 19% of organizations testing their APIs daily, security testing is emerging as a top factor for security leaders.
Mind the Gap: Traditional Application Security Tools Don’t Fit
General-purpose application security solutions such as WAF and SAST/DAST are common tools that various vendors put forward also for API security.
However, our respondents overwhelmingly commented that these are not on their roadmap for that purpose – for 50% or more of security leaders, these systems aren’t even an option.
As the attack surface grows, today’s organizations know that their current tools are limited, but can’t find a viable alternative – making it accepted wisdom that there is a need for new technologies for runtime protection and security testing to complement the APIM as part of their API security backbone.
Who’s the Boss? There’s Challenge of Responsibility
Our report shows that most enterprises handle API security by centralized integration teams, whether a center of excellence, a dedicated API team or some other entity. As these teams commonly operate the API Management platform, it stands to reason that API security falls on them.
However, security leaders believe that they should be in charge of API security, alongside the API team.
This suggests collaboration is the best way forward: On the one hand, the experience from traditional areas of enterprise security (e.g. network and application) can be leveraged in an API Security program. On the other, the nature of APIs presents unique challenges best understood by the dedicated API team.
"He Who Pays the Piper Calls the Tune"
With enterprises opening up and growing their use of APIs along their digital transformation journey, we can see a shift in responsibility – and budget – accordingly.
Once companies have more than 50 APIs, R&D and IT teams take a step back, as security gets more involved with 39% of the responsibility – up from only 5% when there are less than 50 APIs to manage.
The lack of a clear go-to option for enterprises when it comes to API security budget further reinforces the need for collaboration, as no single team is the obvious choice.
Whoever takes the lead, it is clear that mutual influence and cooperation are ever more important for helping today’s future-focused organizations achieve the ideal API security backbone.