API Vulnerabilities: 74% of Organizations Report Multiple Breaches

API security company Traceable has unveiled its 2023 State of API Security Report. In collaboration with the Ponemon Institute, the study provides a comprehensive global perspective on the state of API security, exposing critical vulnerabilities and their far-reaching consequences.

The report, based on insights from 1629 cybersecurity experts across the United States, the United Kingdom and the European Union, paints a concerning picture of the API security landscape.

One of the most alarming revelations is the sharp increase in API-related data breaches. Within the past two years, 60% of organizations surveyed reported at least one breach, with a substantial 74% experiencing three or more incidents. DDoS attacks emerged as the primary method, accounting for 38% of breaches. This, coupled with other attack vectors, significantly expands organizations’ potential attack surfaces, according to 58% of respondents.

“In an era where digital ecosystems are intrinsically entwined with our operational fabric, this report brings to light the hidden iceberg beneath the API landscape,” commented Richard Bird, chief security officer of Traceable.

“It’s alarming to see that the majority of businesses are navigating these treacherous waters with a significant blind spot, unprepared and underestimating the very real threats associated with APIs.”

The research also highlights a lack of understanding and confidence in API security. Only 38% of experts felt capable of discerning the nuances of API activities, user behaviors and data flows. Traditional security solutions, including Web Application Firewalls (WAFs), came under scrutiny, with 57% doubting their effectiveness in distinguishing genuine from fraudulent API activity.

Looking ahead, 61% of respondents anticipate escalating API-related risks in the next two years. Organizations are grappling with challenges such as API sprawl (48%) and the accurate inventory management of APIs (39%). On average, organizations maintain 127 third-party API connections, yet only 33% expressed confidence in securing these external threats.

Read more on API security: Critical API Security Gaps Found in Financial Services

“As a security community, we must address this glaring disconnect, prioritizing API security as a cornerstone of our cyber defense strategy,” Bird added. “It’s time that API security is elevated from the server room to the boardroom. Only by doing so can we hope to stay ahead of the evolving threat landscape.”