Professional Documents
Culture Documents
Esg Securing Api Attack Surface
Esg Securing Api Attack Surface
Research Objectives
Organizations across industries improve their productivity, innovation, and customer service with an increase in web, mobile, and
cloud applications leveraging microservices architectures. But this brings an increase in APIs connecting application components and
resources. Organizations rate APIs as the element in the cloud-native stack most susceptible to attack, and attacks stemming from
insecure APIs were the most commonly identified cybersecurity incident tied to cloud-native app development over the last 12 months.
As the number of APIs continues to grow, security risk increases.
As a result, organizations need effective API security solutions to reduce risk as cloud-native development scales and help their
teams discover, manage, configure, monitor, and protect their APIs to keep pace with modern software development. To gain further
insight into these trends, TechTarget’s Enterprise Strategy Group (ESG) surveyed 397 IT, cybersecurity, and application development
professionals at organizations in North America (US and Canada) responsible for evaluating or purchasing cloud security technology
products and services.
Validate API usage and growth patterns associated Examine current API security approaches
with cloud adoption and digital transformation. and their effectiveness.
ÆD
Modernization Necessitates Security Risk Levels Pervasive, Resulting in Many
Cybersecurity Modernization Challenges and Shortcomings
1ª1Æ
Organizations are increasingly moving their production workloads to public cloud Today 24 months from now
Today 24 months from now
platforms. By leveraging the state-of-the-art technologies and services from
cloud service providers (CSPs) and microservices application architectures, they
can efficiently build and deploy their applications faster to serve their employees, 64% 63%
partners, and customers.
| Percentage of production server workloads run on public cloud infrastructure services. 20%
23%
15% 13%
0% 1%
Percentage of production workloads run on public cloud infrastructure services today 25% or less 26% to 50% 51% to 74% 75% or more
10% TO 20% OF 21% TO 30% OF 31% TO 40% OF 41% TO 50% OF MORE THAN 50%
WORKLOADS WORKLOADS WORKLOADS WORKLOADS OF WORKLOADS
29%
36%
57% 31%
We employ DevOps We employ DevOps
extensively in a limited fashion
Increasing Developer
% %
EciencyforFaster
Releases
| Frequency with which developers and/or DevOps teams deliver new builds to production.
Multiple times Once per day Multiple times Once per week Multiple times Once per month Once every 3 Less frequently
per day per week per month months than once every
3 months
Challenges Incorporating
| Security challenges resulting from the faster development cycles of CI/CD.
Security to Keep Up with
Release Speed
Security lacks visibility and control in development processes 41%
Although cloud-native application development
brings efficiency and productivity benefits, security
New builds are deployed to production with misconfigurations,
teams are challenged gaining the control they 40%
vulnerabilities, and other security issues
need to ensure that the applications deployed
are secure. In addition to citing production
builds being deployed with security issues, many Developers are skipping security processes 39%
organizations report their security teams lack
visibility into development processes and/or
that developers are skipping security processes. Lack of consistency of security processes across different
38%
development teams
They need ways to incorporate security into
the development processes without slowing Software is released without going through security checks
operations down. 38%
and/or testing
grow to 50%
ROUGHLY
MOST OF OUR ALL OF OUR
HALF OF OUR 15% APPLICATIONS APPLICATIONS
APPLICATIONS
67+33+U 67%
Open APIs for public
consumption
64+36+U 64%
Connecting applications
with partners
51+49+U 51%
Connecting
microservices
“
Frequency of API Updates
In addition to facing challenges from the rapidly growing number of APIs and their exposures from the associated types
of connections, security teams are challenged keeping up with the speed of API updates. More than one-third (35%) of
organizations release updates daily, and another 40% update on a weekly basis.
More than
| Frequency with which organizations typically change or update APIs.
35%
40%
one-third
(35%) of
22%
organizations
release
3%
1% updates daily.”
Daily Weekly Monthly Quarterly Every six months or less
frequently
1% to 10%
40+960= 4% 1% to 10%
30+970= 3%
11% to 25%
250+750= 25% 11% to 25%
240+760= 24%
26% to 50%
540+460= 54% 26% to 50%
490+510= 49%
51% to 75%
160+840= 16% 51% to 75%
220+780= 2%
35+57+8J
| Have organizations experienced a security incident related to insecure APIs in the last 12 months?
We have experienced
one security incident
Security Incidents from related to insecure APIs
Insecure APIs in the last 12 months,
57%
| Types of security incidents from insecure APIs. Impacts of API security incidents.
We have a robust API security program with the right processes and
74%
controls in place to secure APIs in our cloud applications
We have some processes and controls in place for API security 22%
Abusive
Abusive behavior behavior
bypassing bot bypassing
managementbot management
37% 37% 50% 50% 13% 13%
Outdated/unneeded
Outdated/unneeded APIs (zombie APIs)
APIs (zombie APIs) 33% 33% 54% 54% 13% 13%
46+32+193S
| Time it typically takes to remediate an API vulnerability.
TheNeedtoDriveRemediationEciency
For security to support the scale and speed of growing APIs, they need tools to help drive
efficient remediation so they can respond quickly to vulnerabilities. The data shows that 46% Hours
more than two-thirds can respond within a day, with 39% reporting the ability to do so
within hours. When vulnerabilities expose sensitive data, that time is precious.
32% One day
The data also shows organizations are relying more on manual testing and review
versus automated alerting to protect their sensitive data. As organizations scale with 19% One week
increasing product releases and higher numbers of APIs to add functionality and services
to their applications, this is not sustainable. Security teams need fewer tedious manual 2% Several weeks
tasks and solutions that can automate alerting to drive efficient actions that remediate
vulnerabilities exposing them to risk.
79+21+U
© 2023 TechTarget, Inc. All Rights Reserved.
79%
Manual testing and review
63+37+U 63%
Automated alerting
231ÆC(
Securing the API
API Attack
Attack Surface
Surface 22
“
Completely effective Mostly effective Somewhat effective
“
Completely effective Mostly effective Somewhat effective
As soon as or before Once they are live HIGH level of GOOD level of LIMITED level of
APIs are published, and in production, knowledge for API knowledge for API knowledge for API
API Security Investments and Future Plans Expected change in API security spending over the next 12-18 months.
Organizations are prioritizing investing in API security because of its importance in enabling
digital transformation. The data shows that most organizations have dedicated budget for API 66% 29%
security, and most expect to increase their investments in API security solutions over the next Signi…cant Slight
12-18 months. The areas in which organizations expect to focus their increased spending include increase increase
API security tools, with many looking for API security capabilities in other tools like cloud-native
application protection platforms (CNAPPs), application security tools, API management tools,
WAFs, bot management, and DDoS mitigation tools. % %
60+40+S 30+70+S
API security tools 45%
8+92+S 3+97+S
API management tools 39%
Noname Security provides the most complete, proactive API Security solution. Noname works with 25% of the
Fortune 500 and covers the entire API security scope — Discovery, Posture Management, Runtime Protection, and
API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California,
and offices in Tel Aviv and Amsterdam.
LEARN MORE
e e e
GS a
TechTarget’s Enterprise
After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were
left with a final total sample of 397 IT, cybersecurity, and application development professionals.
Manufacturing 27%
51%
26%
25% Retail/wholesale 16%
Communications and
38% 12%
media
17%
Technology 9%
11% Healthcare 8%
10%
8%
Business services 8%
7%
2% 4% Financial 6%
1%
Other 15%
100 to 500 to 1,000 to 2,500 to 5,000 to 10,000 to 20,000 or 1 to 5 years 6 to 10 years 11 to 20 years 21 to 50 years More than 50
499 999 2,499 4,999 9,999 19,999 more years
This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express
consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.