Unveiling the 2023 State of API Security: A Panoramic Industry View

As the digital landscape continues to evolve at an accelerated pace, one thing remains clear: APIs have become a crucial backbone to nearly every business operation in existence. However, with their ubiquitous adoption comes an equally pressing concern – API security. As the Chief Security Officer of Traceable, I am committed to ensuring we understand, confront, and adapt to the ever-changing dynamics of this complex field.

Recognizing the critical nature of this area, we found a pressing need for a more comprehensive understanding of the State of API Security across different sectors and geographies.

Despite APIs being critical to the modern enterprise, until now, there has not been an extensive, multi-country, industry-wide study offering a panoramic view of the API security landscape. We believed that it was time to fill this gap and embarked on this research journey with the Ponemon Institute.

The 2023 State of API Security

The result is an extensive survey titled “The 2023 State of API Security: A Global Study on the Reality of API Risk“. This report is a labor of profound research and hard work, delving into intricate matters such as API-related data breaches, the growing concern of API sprawl, API ownership, and the risks of fraud and abuse, as well as the growing role of Zero Trust in API Security initiatives. 

The report brings forward some compelling and sobering findings:

1. 74% of organizations experienced at least three API-related data breaches in the past two years: A significant 60% of organizations reported an API-related breach in the past two years, emphasizing the growing risk. 74% of these organizations experienced three or more breaches, indicating recurring security gaps or repeated exploitation by threat actors. While 20% reported one to two breaches, an alarming 23% endured six or more incidents, underscoring the sustained threat landscape.
2. DDoS, Fraud and Attacks Are Top API Breach Methods: The findings underscore that DDoS attacks stand out as the predominant API attack method resulting in a breach, with 38% of respondents confirming this. Fraud and known attacks are neck and neck for the second spot, each cited by 29% of participants as a major cause of data breaches.
3. Only 38% of Organizations Have the Ability to Understand the Context between API Activity, User Activity, Data Flow, and Code Execution: In the complex arena of API security, understanding context is paramount. It’s about discerning the intricate connections between API activity, user behaviors, data trajectories, and code execution. Yet, a concerning reality emerges: a mere 38% of organizations truly grasp this contextual interplay. This significant oversight suggests a deep vulnerability, emphasizing the pressing need to prioritize and address context within current API security frameworks.
4. 61% of Respondents Anticipate a Significant Increase in API Risk over the next 12-24 Months: A significant majority, 61%, expect the risk associated with APIs to either increase or significantly increase over the next 12 to 24 months. This suggests a prevailing sentiment that as the digital landscape continues to evolve, so too do the challenges and threats associated with it.
5. 58% of Respondents State that APIs Expand the Attack Surface: More than half (58%) of respondents either strongly agree or agree with the assertion that APIs expand the attack surface across all layers of the technology stack. This highlights a widespread recognition of the risk introduced by APIs, despite their indispensable role in the digital landscape.
6. Majority of Respondents Are Not Confident in Traditional Solutions to Protect APIs: 57% of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. Further, the increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing (56% of respondents).
7. 48% of Organizations Report that API Sprawl is their Top Challenge: Securing APIs presents a dynamic set of challenges for organizations. Topping the list, as reported by 48% of respondents, is preventing API sprawl, reflecting the rapid proliferation of APIs in the modern enterprise. The second most pressing challenge, identified by 39%, is maintaining an accurate inventory of APIs, followed by managing third-party access to APIs, at 30%.
8. Solutions Are Needed to Reduce Third-Party Risks and Detect and Stop Data Exfiltration Events Happening through APIs: On average, organizations have 127 third parties connected to their APIs. Yet, only 33% believe they effectively reduce risks from these third-party accesses. Moreover, while 35% feel confident in managing external API risks, just 40% are assured of their capabilities to handle internal API threats. A key challenge? Many organizations are uncertain about the volume of data their APIs transmit, emphasizing the need for solutions that can identify and halt potential data breaches.
9. To stop the growing API security crisis, organizations need visibility into the API ecosystem and ensure consistency in API design and functionality. Only 35%  of respondents have excellent visibility into the API ecosystem, only 44%  of respondents are very confident in being able to detect attacks at the API layer and 44%  of respondents say their organizations are very effective in achieving consistency in API design and functionality.

These numbers paint a stark picture of the state of API security in today’s digital world. The complexity and rapid growth of APIs, coupled with the inherent security challenges they pose, have left businesses grappling with risks they are yet fully to comprehend or tackle.

However, it’s not all concerning news. These findings also pave the way towards a more secure digital future by illuminating areas that need immediate attention and resources. The data, insights, and trends from this research enable us to make informed decisions, foster strategic dialogue within and among businesses, and, most importantly, strengthen our collective security defenses.

How to Use the 2023 State of API Security Report

The 2023 Global State of API Security Report serves as a valuable compass for organizations navigating the ever-evolving terrain of API security. Given the integral role that APIs play in today’s digital ecosystems, understanding the nuances of associated vulnerabilities and threats is imperative. This report provides a comprehensive snapshot of the current API security landscape, helping organizations pinpoint prevalent challenges and assess their own security postures in comparison to global benchmarks.

Furthermore, this document isn’t just about identifying problems; it offers actionable insights based on data-driven findings. Enterprises can utilize this report to shape their security strategies, prioritize remedial measures, and make informed decisions about allocating resources.

For vendors and solution providers, the insights presented can help refine product offerings and better align them with the actual needs of the market.

Additionally, for educators and policymakers, the findings offer a clear picture of industry trends, assisting in curriculum development and policy formulation. In essence, the report equips stakeholders across the spectrum with the knowledge they need to foster a safer, more resilient API-centric digital environment.

As we take this journey together, I invite you to delve into the State of API Security as illustrated by our research. I am confident that it will provide rich, actionable insights into the intricacies of API security. It offers strategies and practices that will prove invaluable in crafting a comprehensive and effective API security strategy. After all, we are on this journey together, and it is our shared mission to build a more secure digital world.

Join the Conversation on the 2023 State of API Security: Global Findings

To help organizations understand the deeper findings, Traceable is hosting an exclusive webinar on Wednesday, Sept. 27 at 12 p.m. E.T./9 a.m. P.T. to interpret the results and to arm security professionals with the information they need to shape their organization’s cybersecurity strategy. 

The webinar features Larry Ponemon of the esteemed Ponemon Institute, and myself, Richard Bird, Chief Security Officer of Traceable. Together, we will unpack the intricate findings of the State of API Security report. This is a rare opportunity to gain insights directly and engage in meaningful dialogue about the impact of API security on global cybersecurity initiatives. Reserve your seat here.

About Traceable

Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.