Fewer than a third of companies use API-specific controls as part of their cloud application security regime, according to a study by cloud security service provider Akamai.
For the study, Akamai partnered with SANS Institute to survey 231 respondents actively involved in the application security domain in global organisations.
Survey participants mostly noted phishing and missing patches as the top API security concerns.
Significant lag in API security controls
Just under half (49.7%) of the respondents said that their organisation has been using API security testing, with only 5.6% using it for more than 10 years. Even fewer (29%) of them use API discovery, with 3.9% using it for above 10 years.
“These findings indicate the necessity of defense in depth when it comes to API Security, which can be achieved by layering protections across the API estate,” said Rupesh Chokshi, general manager of application security at Akamai.
While API security testing allows for the secure development of APIs, discovery tools help organisations keep running knowledge of the location of their APIs.
The study also revealed that only 29% of the organisations use API security controls that are included in DDoS and load balancing services.
Phishing and missing patches identified as greatest risks
Survey respondents ranked phishing and missing patches as the top two API security risks. While 38% saw phishing to obtain reusable credentials as their top API security risk, exploitation of missing patches was considered a prime threat by 24%.
“API infrastructure concerns, like missing patches, become API security concerns because the API is left more vulnerable. Phishing is a broader security concern that can also occur in the realm of APIs,” Chokshi said.
Other respondents feared different threats, including exploitation of vulnerable APIs (12%), misconfiguration of servers (12%), and accidental disclosure of sensitive data by users (9%).
Sixty-two percent of respondents are using web application firewalls as part of API risk mitigation. Amongst these firewalls, the leading products used are Acunetix, Akamai, AWS Shield, Azure WAF, Checkpoint, Cisco, Cloudflare, and ModSecurity.
More than three quarters (76%) of the organisations train development staff on application security, with most citing Open Web Application Security Project (OWASP) Application Security and API Top Ten lists, and the MITRE ATTCK Framework as the basis for defining application and API risk.