Like a lot of people, your mobile phone number is probably easily accessible to anyone with a bit of searching. Imagine if someone could take this number and your name and gain access to your mobile phone account including billing, email address and phone IMSI. Or maybe someone hacked into one of your social accounts and accessed your contact information and all your photos? These very real scenarios at T-Mobile and Instagram both occurred because of application programming interface (API) security vulnerabilities. To learn more about the use of APIs, Imperva commissioned One Poll to study the attitudes of 250 IT managers security professionals.
APIs power the interactive digital experiences users love and are fundamental to an organization’s digital transformation. However, they also provide a window into an application that presents a growing cybersecurity risk. Hackers like APIs because they present multiple avenues to access a company’s data and can be used together in unintentional ways to enable new attacks that exploit web and mobile applications and IoT devices.
The API security survey revealed that on average companies manage 363 different APIs, and that two-thirds (69 percent) of organizations are exposing APIs to the public and their partners.
As noted, public-facing APIs are a key security concern because they are a direct vector to the sensitive data behind applications. Asked about their main API security concern, respondents stated they are most worried about DDoS attacks and bots while 24 percent said they are most concerned about authentication enforcement.
Just over two-thirds of companies treat API security differently than web security, although API security is overseen by IT 78 percent of the time. Eighty percent of organizations use a public cloud service to protect the data behind their APIs with most people using the combination of API gateways (63.2 percent) and web application firewalls (63.2 percent).
Ninety-two percent of IT professionals believe that DevSecOps, the combination of development, security and operations, will play a part in the future of application development. This highlights an increased desire from many organizations for security to be built in from the very beginning of software development rather than as an after-thought.
Companies need to close the door on security risks from API exposure by deploying a multilayered, defense-in-depth approach to security. To learn more read, “Six Ways to Secure APIs,” and read our full survey results here.