Noname Security’s API Security Report Reveals API Security Incidents are Escalating

Report finds 94% of security professionals are confident in their current application testing tools yet, 78% have experienced an API security incident in 2023


SAN JOSE, Calif., Sept. 28, 2023 (GLOBE NEWSWIRE) -- Noname Security, provider of the most complete API security platform, today announced the findings from its annual API security report, “The API Security Disconnect 2023.” Twelve months on from the inaugural study, the report reveals that the number of API security incidents continues to increase, and as a result, API security is more of a priority now than it was 12 months ago.

Conversely, confidence in respondents’ ability to tackle such incidents has shot up from 67% who said they were confident in their DAST and SAST tools for API testing in 2022 to an overwhelming number of respondents (94%) saying they are confident that their current application testing tools are capable of testing APIs for vulnerabilities in 2023.

Over three-quarters (78%) of respondents have suffered an API security incident in the last 12 months, marking a slight increase from Noname Security’s inaugural 2022 report, where 76% of surveyed respondents experienced an API security incident. The primary causes or top attack vectors cited were Web Application Firewalls (26%), Network Firewalls (20%), and API Gateways (18%). This is a shift from last year when Dormant or Zombie APIs topped the list (19%).

The report findings show visibility of API inventories has improved. Nearly three-quarters (72%) of cybersecurity professionals have full API inventories, but of those, only 40% have visibility into which return sensitive data. This represents a year-on-year increase (67%) of those that had a complete inventory in 2022.

With the prolific number of API security incidents, testing APIs is imperative. The number of respondents that test in real-time or undertake daily testing has increased from 39% in 2022 to 55% in 2023. However, there is still a disconnect between testing frequency and the number of attacks.

Other key findings include:

  • 81% of respondents stated that API security is more of a priority now than it was 12 months ago.
  • 51% cited loss of customer goodwill and churned accounts as the biggest impact of an API security incident.
    • 48% cited fees incurred to help fix the issues, and similarly, 48% said loss of productivity was the biggest impact.
  • 53% now view API security as a necessary requirement for their business.
    • While 47% say it is a business enabler
  • 53% say their developers spend between 26% and 50% of their time on refactoring and remediation.

“The continuing increase in reported API security incidents over the last two years that we conducted this research demonstrates that this is not a fleeting trend but a pressing reality that organizations must deal with and prioritize,” said Shay Levi, CTO and co-founder of Noname Security. “APIs are indispensable in today’s modern environment, but everyone is worried about ransomware, phishing attacks, and data breaches. This research validates why security leaders must prioritize API security.”

Personal identifiable information data is increasingly being targeted

Of the six vertical sectors surveyed in this year’s report: financial services, retail and eCommerce, healthcare and government and public sector, those that have a lot of personal identifiable information (PII) data all saw an increase in API security attacks:

  • Financial services: Increase from 75% in 2022 to 80% in 2023
  • Retail and eCommerce: Increase from 77% in 2022 to 79% in 2023
  • Healthcare: Increase from 70% in 2022 to 79% in 2023
  • Government and public sector: Increase from 75% in 2022 to 77% in 2023
  • Manufacturing: Decrease from 79% in 2022 to 73% in 2023
  • Energy and utilities: Remained the same at 78% in 2023

The cadence of testing APIs for vulnerabilities increased in every sector. The most pronounced change was in the financial services sector, with real-time testing jumping from 14% in 2022 to 23% in 2023, with 37% testing at least once a day. This shows that this sector is starting to really understand the criticality of API security testing, with 60% either testing in real-time or at least once a day, which is a marked improvement from last year.

US Turns the Tables on Frequency of Testing

Over two-thirds of US respondents (69%) admitted they had experienced an API security incident in the last 12 months, down from 77% in 2022, whereas 85% of UK respondents said they suffered an incident in the last 12 months, a 10% year-on-year increase from the year prior.

There were several differences in attitude towards monitoring and visibility of APIs between the two countries surveyed, especially when it comes to reporting in real-time. In 2022, less than one in ten (8%) of US respondents and 14% of UK respondents undertook API security testing in real-time. Fast forward to 2023 and nearly one-fifth (19%) of US respondents now test in real-time while the UK has slightly increased to 17%.

Disparity in API security approach across job roles

Responses from application security (AppSec) teams differ considerably from other job functions surveyed. Between 73% and 84% of C-suite and senior security professionals said they had experienced an incident in the last 12 months, yet only 48% of AppSec professionals said the same. This disparity extends to the top security attack vectors for APIs, with AppSec teams overwhelmingly citing web application firewalls (64%) as the top attack vector for APIs, with more of a spread across other job functions.

Additionally, AppSec professionals have the least amount of confidence in current application testing tools being capable of testing APIs for vulnerabilities, with just 84% saying this, compared to an average of 95% across other job functions.

“This research raises questions about how many API security incidents have been elevated into the consciousness of the C-suite or whether there is a disconnect and lack of communication between C-suite technology leaders and AppSec professionals in organizations. AppSecs are at the coalface dealing with these incidents daily and are at the very heart of application development lifecycles. Increased communication and collaboration needs to take place if organizations are to truly tackle the rising number of API security incidents,” concludes Shay Levi.

If you are interested in reading the full results from Noname Security’s “The API Security Disconnect – API Security Trends in 2023” report, please click here.

About Noname Security
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in Tel Aviv and London.

Media Contact
Stephanie Schlegel
Offleash for Noname
noname@offleashpr.com

Methodology

Noname Security commissioned independent research organization, Opinion Matters, to undertake the second API Disconnect Survey in June 2023. 631 senior cybersecurity professionals in the UK and USA were surveyed from across a variety of enterprise organizations in six key vertical market sectors: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities.