Radware released its 2022 State of API Security report, which shows an increase in APIs, with 92% of organizations surveyed increasing their usage significantly or slightly.
However, the study, conducted in collaboration with Enterprise Management Associates, found that many organizations have been lulled into a false sense of security when protecting APIs.
While 92% of respondents believe their organization has adequate protection for its APIs, and 70% believe they have visibility into applications processing sensitive data, 62% say at least a third of their APIs are undocumented.
Radware notes this is a problem, as undocumented APIs leave businesses vulnerable to cyber threats, including exposure, data breaches, and scraping attacks.
“Many companies have a false sense of security that they are adequately protected against cyber-attacks.
In reality, they have significant gaps in protecting unknown and undocumented APIs,” said Gabi Malka, Chief Operations Officer and Head of Research and Development at Radware.
“API security is not a ‘trend’ that is disappearing. APIs are a fundamental part of most of today’s technologies, and securing them should be a priority for any organization.”
The report includes responses from chief information officers, chief technology officers, vice presidents of IT, and IT directors from global organizations in North America, EMEA, and APAC.
It also found that 59% of respondents already use most cloud applications.
In addition, 97% of companies surveyed use APIs to communicate between workloads and systems.
The report also found that bot attacks and a lack of understanding about API protection continue to threaten businesses, with 32% of respondents saying that automated bot attacks are among the most common threats to APIs.
Regarding detecting API attacks, 29% say they rely on alerts from an API gateway, and 21% rely on web application firewalls (WAFs).
“The research data shows that API protection doesn’t track API usage,” notes Malka.
“Many organizations base their API security strategies on false assumptions; for example, API gateways and traditional WAFs provide adequate protection.
“This makes APIs vulnerable and exposed to common threats, such as bot attacks.
“A comprehensive API protection solution that includes bot protection will address these threats.
“Very few respondents indicated that they had solutions that were actually capable or even capable of providing effective security.
In addition, half of the respondents view their existing tools as only slightly or minimally effective against threats to their APIs, with 7% reporting that the security protections they have in place do not recognize attacks.
Furthermore, the report found that 65% of respondents believe open-source code offers more security than proprietary code. Nearly 74% believe that container-based implementations and microservice architectures are more secure than monolithic architectures and implementations.
Radware says the inability of the existing tools to adequately protect APIs against common threats combined with these perceptions about open source and container-based implementations further adds to the false security narrative.
“The belief that open source is more secure by design could explain why some organizations are lax regarding patch management,” added Malka.
“Yet, as we’ve seen with Log4j and Heartbleed, open source can have the same security flaws as proprietary code.
Believing that open source is inherently more secure by default only adds to the false narrative that leaves organizations vulnerable to cyber-attacks.