The State of API Security at RSA 2024: Alarming Trends and Insights

Another RSA Conference has come and gone, but the insights gathered from our second annual survey of over 125 cybersecurity professionals has left a lasting impact. 

The message is clear: organizations continue to struggle to keep up with the growing challenges of API security. 

For years now, APIs have been the foundation upon which modern applications are built, enabling the seamless flow of data and functionality across systems. They have become the connective tissue that binds together disparate services, platforms, and devices, making it possible for businesses to innovate at an unprecedented pace. 

From mobile apps and web services to IoT devices and microservices architectures, APIs are everywhere, powering the digital experiences that we have come to rely on.

However, as APIs have proliferated and become more complex, the risks associated with them have also multiplied. The attack surface has expanded dramatically, with each API representing a potential entry point for malicious actors. The very nature of APIs, which are designed to expose functionality and data to external consumers, makes them an attractive target for cybercriminals looking to exploit vulnerabilities and gain unauthorized access.

The survey results paint a sobering picture of the challenges that organizations face in securing their API ecosystems. Despite the critical role that APIs play in enabling digital transformation, many organizations are struggling to keep up with the pace of change and the evolving threat landscape. The risks are compounded by a lack of visibility into API inventories, inconsistent security controls, and a shortage of specialized skills and resources.

Key Findings from the Survey:

1. API Security Solutions: 38% of organizations have an API security solution in place, while 42% do not, and 20% are unsure. This highlights the need for greater awareness and adoption of dedicated API security measures.
2. Increased Attention: 55% of respondents reported paying more attention to how APIs factor into their cybersecurity strategy over the past year, indicating a growing recognition of the importance of API security.
3. API Sprawl: 43% of organizations do not struggle with API sprawl, while 33% are unsure if they are managing it effectively, and 24% acknowledge they are struggling. This underscores the need for better visibility and control over API ecosystems.
4. Ownership: CISOs and security teams (44%) are increasingly taking ownership of API security, followed by Dev/DevOps teams (19%). However, 24% of respondents do not know who owns API security in their organization, highlighting the need for clearer roles and responsibilities.
5. Dedicated Resources: 50% of organizations do not have a dedicated team or team member for API security, while 32% do, and 18% are unsure. This presents an opportunity for organizations to invest in specialized expertise to bolster their API security efforts.
6. API Attacks: 14% of organizations experienced an API attack in the last 12 months, while 61% did not, and 25% were unsure. This emphasizes the importance of robust detection and response capabilities to identify and mitigate API-related incidents.
7. API Behavior Baselining: Among organizations that experienced an API attack, 41% were unsure if they baseline API behavior to detect anomalies, while another 41% confirmed they do not. This suggests an area for improvement in leveraging advanced techniques to enhance API security posture.
8. Security Budgets: 46% of organizations reported that their security budget stayed the same within the last 12 months, while 43% saw an increase, and 11% experienced a decrease. This indicates a mixed picture in terms of resources allocated to cybersecurity initiatives.

Navigating the Path Forward

The RSA Conference 2024 survey results shed light on the current state of API security and the challenges organizations face in securing their API ecosystems. The findings underscore the need for organizations to prioritize API security as an integral part of their overall cybersecurity strategy.

As digital transformation continues to accelerate and APIs become increasingly critical to business operations, organizations must remain vigilant in the face of evolving threats. The survey highlights the importance of collaboration, visibility, and proactive measures in mitigating API security risks. By fostering a shared sense of responsibility for API security across the organization, investing in the necessary resources and expertise, and staying informed about the latest trends and best practices, businesses can build more resilient API ecosystems.

The path forward may not be without its challenges, but by learning from the experiences and insights of industry professionals, organizations can be better prepared to navigate the complex landscape of API security.

As we look ahead to the future, it is clear that API security will remain a critical priority for organizations of all sizes and across all industries. The RSA Conference 2024 survey serves as a valuable benchmark for assessing the current state of API security and identifying areas for improvement. By embracing the lessons learned and continuing to prioritize API security, organizations can unlock the full potential of APIs to drive innovation, growth, and competitive advantage in the years to come.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API protection in a cloud-first, API-driven world. Traceable is the only contextually-informed solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, visit https://www.traceable.ai/.