"APIs Are Everywhere, but API Security Is Lacking"

As the number of Application Programming Interfaces (APIs) spreads across corporate infrastructure, they are quickly becoming the largest attack surface in applications and a major target for attackers. According to industry experts, the rise of increasingly integrated web and mobile-based offerings requiring data sharing across multiple companies' products, as well as the dependence of mobile apps on APIs, has fueled growth and made API security one of the most difficult challenges for CIOs. A 2022 survey conducted by 451 Research revealed that 41 percent of respondent organizations experienced an API security incident in the last 12 months. Sixty-three percent of the respondent organizations said the incident involved a data breach or data loss. API security products were generally developed before API use expanded to the level today, and were based on the idea that requiring developers to secure the code they write invites failure, according to a GigaOm research report. GigaOm also noted that developers do not intentionally write insecure code, so if they inadvertently write code with vulnerabilities, it is most likely because they are unaware of the vulnerabilities that an API may have. However, once API security was implemented, Information Technology (IT) quickly discovered a new reason to use a security product, which is that some vulnerabilities are far easier to block in the network than in each and every application. According to the GigaOm report, the idea that it is more effective to block some attacks in the network, which includes data centers, cloud vendors, and Software-as-a-Service (SaaS) providers, has fueled demand for products capable of doing this. APIs make up 91 percent of all web traffic, and they are consistent with the trend toward microservice architectures and the need to respond dynamically to rapidly changing market conditions. Yet, APIs have given rise to a completely new class of cybersecurity threats that specifically target them as a primary attack vector. The volume and severity of Web API traffic and attacks are increasing. More than half of APIs are invisible to business IT and security teams. These unknown, unmanaged, and unsecured APIs are exposing critical business logic vulnerabilities and increasing risk to organizations. This article continues to discuss the need to bolster API security. 

VB reports "APIs Are Everywhere, but API Security Is Lacking"