WASHINGTON, D.C. – January 19, 2023 – Corsha Inc., a leading API security company, today released new research that paints a picture of cybersecurity professionals who are both frustrated over how much time and attention they must devote to API security and worried that their defenses still remain inadequate.
The Corsha team recently surveyed more than 400 security and engineering professionals to learn about their API secrets management practices and the challenges they face in thwarting API attacks. Among the key takeaways:
●86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets.
●Over half (53%) of respondents have already experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens.
●72% of respondents use a secrets management solution yet over half (56%) are still concerned about a potential data breach due to their current secrets management practices.
“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” said Jared Elder, Chief Growth Officer at Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing. Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.”
A Rapidly Changing Threat Landscape
API usage has exploded over the last several years as companies continue to expand their adoption of could native technologies and API-driven ecosystems such as microservices and serverless architectures, hybrid cloud infrastructures, CI/CD pipelines, and a host of other applications and services that are sending and receiving sensitive information through APIs. According to the Corsha survey, 44% of respondents host their API services across multiple clouds. For many enterprises, this often means disjointed secrets management solutions across disparate environments.
As a result, Corsha survey respondents spend an inordinate amount of time managing API tokens. 78% reported they manage at least 250 API tokens, keys, or certificates across their networks. Unfortunately, their security strategies for API-based communication cannot keep up with the level of scale and automation that’s possible today.
Outdated Approaches to a Modern Security Challenge
All APIs have one thing in common: they connect services to facilitate data transfers. That makes them a favorite target for hackers as the number of APIs that depend on secrets increases, and workflows (e.g., secret provisioning and sharing, secret management, monitoring, control) become more difficult.
According to the Corsha survey, the top three API secrets management pain points are:
- Working with certificate authorities (44%)
- Rotating secrets (37%)
- Provisioning secrets (36%)
The methods respondents most commonly use to address these pain points are often dated, manual, error-prone, and cumbersome.
While many security teams assign specific entitlements to API keys, tokens, and certificates, the survey discovered that more than 42% do not. That means they’re granting all-or-nothing access to any users bearing these credentials, which although is the path of least resistance in access management, also increases the security risk.
Corsha’s researchers also found that more than 50% of respondents have little-to-no visibility into the machines, devices, or services (i.e., clients) that leverage the API tokens, keys, or certificates that their organizations are provisioning. Limited visibility can lead to secrets that are forgotten, neglected, or left behind, making them prime targets for bad actors to exploit undetected by traditional security tools and best practices.
Another red flag: although 54% of respondents rotate their secrets at least once a month, over 25% admit that they can take as long as a year to rotate secrets. The long-lived, static nature of these bearer secrets make them prime targets for adversaries, much like the static nature of passwords to online accounts.
API Security Best Practices
The Corsha report also outlines what organizations can do to implement effective secrets management processes, including:
●Integrating a good secrets manager to gain overall visibility into all secrets
●Using mTLS when and where possible
●Always set a short expiry on secrets when possible
●Always sign and verify tokens
●Don’t store or pass secrets in plaintext
“Today, even the most robust modern secrets management implementation isn’t sufficient to prevent APIs from being exploited, which explains why over half of our survey respondents highlighted the continuing worry of suffering a potential data breach due to their current secrets management practices,” added Scott Hopkins, Chief Operating Officer at Corsha. “The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight. Organizations would benefit from a stronger, automated, and highly scalable answer to their API authentication woes that can readily integrate into any environment. Corsha provides a robust added factor to API authentication to protect an organization’s critical systems and data from savvy and opportunistic bad actors.”
It’s also important for security and development teams to recognize that risk is predominantly shifting from human to machine to machine-to-machine and consider what needs to be done to account for this transformation.
Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Using a dynamic, blockchain-based machine identity, Corsha has developed a patented way to provide multi-factor authentication (MFA) for APIs, where API access may be pinned to only trusted machines. With Corsha, each API call now requires a fresh, one-time use credential, enabling zero-trust access for an organization's API services.
To learn more about the Corsha Platform, visit: https://corsha.com/the-platform/.
Follow this link to read and download the Corsha State of API Secrets Management Report.
Corsha fully automates multi-factor authentication (MFA) for APIs to better secure machine-to-machine communication. Our product creates dynamic identities for trusted clients, and adds an automated, one-time use MFA credential to every API call, ensuring only trusted machines are able or leverage keys, tokens or certificates across your applications, services, and infrastructure. Halt and resume access to a machine or group of machines without revoking secrets or impacting other workloads, leaving compromised secrets are rendered useless using Corsha.
API-first ecosystems are driven by the machines that power them. Whether those are Kubernetes pods, containers, virtual machines, physical servers, IoT devices, or other form factors, risk is shifting from human to machine as we automate more and securing communication between machines often becomes an afterthought. Today, API secrets like keys, tokens and certificates are used as a way to broker access between machines, but these static secrets are often shared, rarely rotated and are being leaked in CI pipelines, logs and code repositories at an alarming rate.
Corsha is taking all the goodness of MFA and using the same principals like one time use credentials to secure APIs. This provides teams security, visibility and control into the machines that are accessing your APIs and the ability to revoke API access at the drop of a hat. For more information, visit: https://corsha.com/.