Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months.
According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies' use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots — with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues.
Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies — greater than 60% — discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders.
Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.
"There's a perception of confidence with existing tooling that isn’t matched by evidence," Anand says. "The landscape for security has changed — with the dramatic growth in API volume, APIs are the new battleground for application security."
The interest in Web APIs comes as companies have accelerated their digital transformations over the past two years following the business disruptions caused by the coronavirus pandemic. Nearly all (93%) of companies surveyed by Google in a second study of 770 technology leaders characterized their operations as based on "mostly cloud," up from 83% two years ago.
In contrast, business decision-makers characterizing their operations as "mostly on-premises" dropped by half to 7%, from 16%, in the same time period.
By one estimate, API-related security incidents caused $12 billion to $23 billion in losses since 2020. And the attack surface is getting bigger: The average large company has three times the number of APIs — 15,600 — as a year ago.
APIs: Key to Cloud Transformation
While 46% of organizations surveyed reserved their use of APIs to only within their own organization, more than half (54%) allow partners, customers, and other external developer use the APIs as a way to spur third-party development, Google found.
"APIs are critical to application modernization and digital transformation because, along with microservices, they enable rapid delivery of new experiences to customers, while cutting the cost of development and maintenance," Google Cloud stated in its "The Digital Crunch Time: 2022 State of APIs and Applications" report.
Because APIs are critical to their digital transformation, companies have wisely prioritized API security investments, with 60% aiming to improve their ability to proactively identify security threats, and 57% adopting more security automation and orchestration, according to Google Cloud's second report, "API Security: Latest Insights & Key Trends."
About half of companies also intend to expand their real-time monitoring of API servers and using artificial intelligence and machine learning (AI/ML) systems to better discover flaws and detect attacks.
"As organizations move from being reactionary to proactively addressing these threats, we’ll see AI/ML models become more widely adopted within security tooling," Anand says. "ML-based rules are the natural evolution of this — not just automating, but continuously learning from those experiences."
API Maturity Brings Cloud Success
Unsurprisingly, companies that have had more experience with APIs have also found more success with their transition to more cloud-native operations.
About a third of companies (34%) classified themselves as having a mature approach to APIs, pushing an API-first strategy across the organizations and using an API management platform. Those companies also had more success increasing efficiency, better collaboration, and improved agility, compared with organizations with lower API maturity.
Google Cloud defined low-maturity organizations as those with siloed APIs, no centralized management of APIs, and perhaps an API gateway for security.
"Our study shows that mature API organizations are considerably ahead in their digital transformation efforts compared to low-maturity API organizations," according to the vendor. "Technology leaders already understand the value that APIs bring."
For companies moving to API-based application infrastructure, API security is considered the most significant component of an API program, with 66% of companies considering it important, according to Google's report. Other top concerns included API performance analytics and API governance.
"API security ultimately needs to be part of the overall end-to-end security strategy," Anand says. "Seamless integrations between all security products make enhancing the overall security value from your portfolio easier."