API security is something that many security teams fail to get right. In the increasingly remote, modern work environments of today, there are so many apps and services that rely on APIs that analysts struggle to discover and secure.
Earlier this week, API provider Postman, released its 2022 State of the API Report — which surveyed more than 37,000 developers and API professionals — and found that 20% of respondents say API security incidents or breaches happen at least once per month at their organizations.
In contrast, 51% of respondents also said more than half of their organizations’ development effort is spent on APIs.
The findings suggest that organizations may require a higher-level approach to identifying and securing APIs if they want to prevent intrusions and reduce the chance of data breaches.
Why is API security a challenge?
When it comes to the struggle to secure APIs, it isn’t just the scale of apps and services that is creating challenges. It is also the fact that many organizations are relying on less-optimized application security tools to mitigate issues at the API level.
At the pace modern enterprise environments move, organizations need solutions that can automatically discover and classify APIs at scale if they want an accurate perception of their risk posture.
As one Gartner API security report, explains, “many API breaches have one thing in common: the breached organization didn’t know about their unsecured API until it was too late. This is why the first step in API security is to discover the APIs which your organization is delivering, or which it consumes from third-parties.”
It’s a perspective that Postman’s new research appears to reaffirm.
“Companies experiencing more frequent API security incidents likely have shadow or published APIs that don’t have the same protections as other websites. They likely have more legacy elements in their environment and may not truly understand the scope of their entire API landscape,” said Abhinav Asthana, CEO of Postman.
The need for greater transparency and visibility over APIs is also increased by the growing number of mobile apps.
“Many mobile apps have a number of backend APIs used to support it and they are often overlooked. Attackers have been abusing these backend mobile APIs for quite some time because they are often not secured and provide much more valuable content. You can’t protect what you don’t know about,” Asthana said.
The API Security market
One of the main players in the API security market is Salt Security. Its solution uses an API context engine (ACE) that can discover new APIs and vulnerabilities, while also offering testing for APIs in pre-production.
Another competitor is Noname Security with an API security platform designed to discover API vulnerabilities and misconfigurations, with automated detection and response capabilities.
Researchers expect the API management market to grow from $4.5 billion in 2022 to reach a value of $13.7 billion by 2027 as more organizations attempt to secure ever-more complex decentralized working environments.
The post 20% of developers and IT pros say API security breaches happen monthly appeared first on Venture Beat.