Why Security Leaders and AppSec and Development Teams Need to Collaborate More to Ensure Robust API Security
Written by Filip Verloy, Field CTO for EMEA, Noname Security
API Security Incidents Set to Increase
As we look towards 2023 and the growing cyber threat landscape, what do CISOs, and other senior security professionals need to think about when it comes to securing their APIs and preparing their environment for the year ahead? APIs are at the heart of digital transformation initiatives and, as such, organisations depend upon them to evolve their digital strategies, innovate, and grow. Effectively, APIs enable applications, containers, and microservices to exchange data and information quickly so consumers experience more convenience on their digital devices and when using online services. However, they are also an increasingly common attack vector for cybercriminals because they’re a pathway for hackers to access vast amounts of sensitive data.
According to IBM’s 2022 Cost of a Data Breach Report, the average costs increased to USD 4.35 million in 2022, climbing 12.7% from USD 3.86 million in the 2020 report. Additionally, a stunning 83% of organisations surveyed reported having suffered more than one data breach. This means there will be even more need for comprehensive threat intelligence, monitoring, and alert detection solutions in place, including more robust API security solutions.
In September 2022, to understand how CISOs and senior cybersecurity professionals are approaching the challenge of securing their APIs in this intense and complex threat environment, we commissioned research. We surveyed 600 senior cybersecurity professionals in the UK and USA. Within this cohort there was a mix of CISOs, CIOs, CTOs, senior security professionals and AppSec professionals from a range of industry verticals including: Retail & eCommerce, Financial Services, Government & Public Sector, Manufacturing and Energy & Utilities.
A Disconnect Around What is Happening in the Real World
What we found was a clear disconnect between what is happening in the real world and organisational attitudes towards API security. There was a level of misplaced confidence around API security which was disproportionately high in comparison to the number and severity of API-related breaches. This points to the need for further education by Security, AppSec, and Development teams around the realities of API security. Overall, the research exposed a disconnect between the high level of incidents, the low levels of visibility, effective monitoring and testing of the API environment, and a level of over-confidence that their tools and providers were preventing attacks.
The responses also highlighted notable variations in how different roles view their security operations and API security. Delving into the responses from the different job functions surveyed, we found that CISOs were most likely to say they have experienced an API incident (81%) and AppSecs were least likely, with 53%.
The above was reaffirmed by the Google Cloud 2022 API Security research report which described there being “a gap between the existence of security incidents and confidence that the tools are doing the job”.
Disparities Across Different Job Functions
Again, there were also disparities across the different job functions and what respondents considered to be the top API attack approaches, indicating that attacks are coming from all sides with no one approach dominating. CIOs (19%) and Senior Security Professionals (21%) cited Network Firewall, CISOs said Dormant/Zombie APIs (23%), CTOs felt that DDoS was the top attack type (21%), while AppSec teams said Authorisation Vulnerabilities (24%).
In terms of visibility into their API inventories, CIOs appeared to have the best visibility around which APIs returned sensitive data, while surprisingly AppSec teams had the lowest insights, with 44% saying they only had a partial understanding of their inventory or those APIs which returned sensitive data. This could be attributed to education, with AppSecs more aware and likely to admit than other roles that there are gaps in API security.
AppSecs More Exposed to Daily Realities
Interestingly, 58% of CIOs said it was easy to scale solutions, while well over a quarter (29%) of AppSecs admitted this was difficult. Again, AppSecs are more exposed to the daily realities than senior personnel and are likely to be more aware of how challenging it is to scale solutions.
When we asked about how their API security platform provider helped to maintain regulatory compliance, CTOs rated their provider highest (96%) and likewise a relatively high proportion (58%) said their provider helps them to achieve compliance with GDPR. Overall, AppSec teams reported the lowest levels of support in maintaining compliance out of all five roles, with 93%.
Surprisingly, CIOs were undertaking more testing in real-time (14%) compared to other roles and AppSec teams were testing the least (7%). CISOs also scored highest in testing once per day (33%) while 45% of CTOs admitted to testing less frequently than once per day but up to once per week. As well as their lack of real-time testing, AppSec teams also scored highest in testing less than once a week and up to once a month, with a quarter stating this.
And finally, CISOs were most likely to say they had confidence in their SAST and DAST tools with 70% replying in the affirmative, while AppSecs were least likely (62%). Senior Security Professionals were least confident in the API security provided by their partner, with 40% saying they were not confident, and likewise they were most likely to lack confidence that their partners were meeting their SLAs (33%).
Collaboration Across Teams will be an Imperative
It was interesting to see how the various role types view API security and clearly there is a need for more collaboration between the different groups. In 2023, we will see API security become much more of a focus area for many of the big enterprise organisations. This is a result of increasing Sustainability goals with API re-use reducing infrastructure costs but it is also because the lack of control, security, and governance around APIs aren’t just exposing companies to serious risks, but also to massive amounts of operational inefficiency caused by APIs being developed and deployed independently across multiple teams. And, as security shifts left, developers become more responsible for ensuring the code they write is secure. This means there is also a need for more collaboration between security and DevOps teams.
As development and security teams embrace a more agile and collaborative way of working, they will seek out API security solutions and services that enable their businesses to grow and scale quickly. Additionally, as budgets come under more scrutiny in 2023, ensuring operational efficiency will be paramount and this is where senior technology leaders, security and development teams need to ensure they are much more coordinated.
