APIs are everywhere. They power the web applications that connect today’s digital world, and their use will only continue to grow as more organisations adopt digital transformation initiatives and shift towards cloud-based solutions.
This API sprawl presents major security challenges for organisations. With these digital initiatives, cloud migration projects, and API-first application architectures, API development and usage has proliferated. Yet, most businesses don’t even know how many APIs exist within their infrastructure, let alone whether they are exposing any sensitive data or not. Without an accurate inventory, organisations cannot protect their APIs.
At the same time, the explosion in the number of APIs has created a larger attack surface for cybercriminals, who are employing increasingly sophisticated techniques to perpetrate their attacks. Because APIs transport critical information, such as sensitive financial data for open banking applications, for example, they make highly lucrative and attractive targets.
Today’s volatile political, social and economic climate has also contributed to the growing number of cyber attacks, making the need for robust API security strategies more pressing than ever before.
Global Trends are Reaching the UK
To find out how API security is impacting UK businesses, Salt Security contacted attendees from the top cybersecurity tradeshows held in London last year, including Infosecurity Europe, International Cyber Expo, DTX London, apidays London, and Black Hat Europe. We wanted to learn whether these UK-based organisations, spanning the financial services, technology, and business consultancy industries, have:
- Prioritized API security as part of their cybersecurity strategy
- Experienced any API security incidents
- Identified key API security challenges
We found that 40% of respondents consider API security a high priority and are already evaluating dedicated solutions, while about a third (32%) are currently building an API security strategy. In practice, this means that over 70% of respondents already recognise the need for dedicated API security.
This growing awareness around the risks brought by widespread API adoption most likely stems from the fact that over half of respondents (54%) had to slow down the rollout of an application due to API security concerns – precisely the same percentage as global respondents in the most recent State of API Security report by Salt Labs.
With over 40% of UK respondents being aware of an API security incident happening in their organisation in the past year, it is no surprise that attack prevention has been identified as the main API security challenge for over 43% – again, very much in line with global State of API Security Report respondents sitting at 41%. Attack prevention has also been identified as the second most pressing challenge for over 18% of respondents, placing it high on the priority list for about 60%.
Traditional API Management Tools are Falling Short
API management tools such as API gateways and web application firewalls (WAFs) have been around for several years. While they undoubtedly add value to today’s security stacks, the rising number of API security threats has made it clear that they are not enough to protect APIs effectively. This is made even more apparent by 60% of respondents to the Salt Security UK survey stating to have WAFs and API gateways in place, but still realising that their APIs are vulnerable to today’s cyber threats.
Although API gateways give you observability over your APIs and the ability to enforce access controls and WAFs can help detect exploitation of web application traffic, neither tool can provide protection against the top API threats, including those listed in the OWASP API Security Top 10.
In fact, API gateways and WAFs can’t detect unique API vulnerabilities such as business logic abuse and authorisation exploits because they rely on signatures and well-known attack patterns for detection.
Additionally, both tools depend on proxying which is known to slow down API communications. To protect performance, organisations often avoid mediating every single API with a gateway or WAF, meaning they don’t have full visibility into potential abuses of those APIs.
Shift Left Protection is Low on the Priority List
By incorporating more security steps into design and development processes, shift left practices seek to enhance the security posture in organisations. Although it is unquestionably beneficial to identify and address API security issues early in the development lifecycle, traditional testing tools usually depend on predefined patterns and weren’t created with APIs in mind. Additionally, API vulnerabilities don’t always stem from development and several of them can only be identified and addressed during runtime.
Organisations around the world seem to be increasingly aware of the limitations of shift left security, and the UK is no exception. While less than a quarter (22%) of respondents in the latest global State of API Security Report by Salt Labs identified pre-production security as their main API security challenge, only 10% of respondents in the UK survey identified shift left as either the main or second main challenge they face.
While shift left practices have merit, the business logic flaws that are often behind today’s API attacks require continuous, automated runtime analysis and protection across the entire API lifecycle.
What is Needed to Tackle API Threats in the UK (and Everywhere)?
Companies in the UK are facing the same API security challenges as those in other regions – including the more mature US market. This goes to show that dedicated API protections that can cover the entire API lifecycle and go beyond traditional tools are now a global need that has reached the UK market.
With 94% of global survey respondents in the most recent State of API Security report admitting that they have experienced API security problems in production in the past year and high-profile API vulnerabilities making headlines around the globe, it is unsurprising that API security has been getting more and more attention.
To address today’s sophisticated and hard-to-detect API threats, organisations need to develop comprehensive API security strategies that provide continuous visibility, rich context into API behaviours over time, attack prevention capabilities in runtime and shift-left practices to improve overall security.