eWEEK DATA POINTS: Enterprises first must understand the very nature of their API infrastructures. Most are not even aware of how many APIs they have to begin with.<\/b>
\nRecent incidents at Salesforce, Facebook, Google+ \u2014not to mention the Equifax breach and the Cambridge Analytica scandal that plagued Facebook\u2014point directly to the unsettling reality that API security is often an afterthought for enterprises. Such incidents serve as a major wake-up call for enterprise security teams everywhere.
Enterprises first must understand the very nature of their API infrastructures. Most are not even aware of how many APIs they have to begin with.
In this eWEEK Data Point article, using new research from Ping Identity based on a survey of 100 security and IT professionals, we offer five API security issues of which to be aware as you consider your holistic API security strategy.
Data Point 1: API sprawl is a growing issue.
Twenty-five percent of respondents say their company has more than 1,000 APIs, while 35 percent report having between 400 to 1,000 APIs. This suggests that APIs are continuing to expand at an accelerated rate. A January 2018 survey found that companies manage 363 different APIs on average, with 39.2 percent managing between 400 to 1,000 APIs and 7.2 percent managing more than 1,000 APIs. Determining how many APIs your enterprise has is the first step in figuring out your security liability and strategy.
Data Point 2: Lack of visibility into APIs is all too common.
Forty-five percent of respondents aren\u2019t confident in their security organization’s ability to detect whether a bad actor is accessing their APIs. In fact, 51 percent aren’t even confident their security team knows about all of the APIs that exist in the organization. This illustrates one of the greatest obstacles to effective API security today\u2014the people trusted with securing APIs don\u2019t always know where they are. As the saying goes: You can\u2019t protect what you can\u2019t see.
Data Point 3: API breaches are often a black box.
Thirty percent of respondents don\u2019t know whether their organization has experienced any breaches, leaks or other security incidents involving APIs. It\u2019s no wonder API security is overlooked so often when it\u2019s talked about so little. To make it a priority, security teams need to find more and better ways to communicate the urgency of API security to organizational leadership.
Data Point 4: Nation-states could weaponize APIs next .
Seventy-five percent of respondents believe we will see nation-states targeting or exploiting APIs in the next year. As the API economy expands to every corner of modern business and society, the arrival of sophisticated state actors is inevitable. The question security teams need to ask is whether they are ready for it.
Data Point 5: Financial services and government believed to be at higher risk
Forty percent of respondents believe financial services companies will the most heavily-targeted industry for API attacks in the coming year. Government came in second with 20 percent of the vote. Looking ahead to 2019, expect more sophisticated attacks on APIs, especially in industries where the data moving between applications and services is extremely valuable.
If you have a suggestion for an eWEEK Data Point article, email cpreimesberger@eweek.com .<\/p>\n