Last week, threat intelligence firm Imperva published a report titled ‘Quantifying the Cost of API Insecurity’, which examined nearly 117,000 security incidents and unearthed that API insecurity was responsible for annual losses of between $41- 75 billion globally.
The study conducted by the Marsh McLennan Cyber Risk Analytics Center discovered that larger enterprises had a higher threat of having API-related breaches, with organizations making more than $100 billion in revenue being three to four times more likely to face API insecurity than small or midsize enterprises.
The security analysts identified that Asia has a high incident rate with between 16% and 20% of cyber-security incidents related to API insecurity. This is likely due to the rapid digital transformation happening across Asia, especially in regard to mobile, as the majority of digital transactions in Asia are done through mobile.
How are businesses getting API security so wrong?
An API is the invisible connective tissue that allows applications to transfer data to enhance end-user experiences and results.
"The growing security risks associated with APIs correlate with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva.
"The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs."
Businesses are frequently failing to secure APIs, with 95% of enterprises suffering an API security incident in the last 12 months, and 34% acknowledging they lack any kind of API security methodology— despite running APIs in production.
“Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams,” Cheng explained. “Historically, these groups have been at odds —security is the party of no, and devops is irresponsible and moves too fast. In order to address these challenges, security leaders have to enable application developers to create secure code using technology that is lightweight and works efficiently."
Tips for enhancing API security:
Imperva recommended organizations adopt API governance by monitoring endpoints beyond their organizations. They should also monitor the data flowing through them to ensure that sensitive information is protected.
Any methodology that security teams implement should include API discovery and data classification. This way, security experts can identify the schema of APIs, while spotting and classifying the data that passes through it, while employing testing to unearth any potential vulnerabilities.
