Traceable AI research from first annual RSA Conference survey also reveals that only 37% of companies have a dedicated team for API security
SAN FRANCISCO – New research conducted at RSA Conference 2023 by Traceable AI found that while API security remains a top cybersecurity concern this year, there is still an alarming lack of implementation for most companies. The first annual study also revealed that companies are struggling with unchecked API sprawl, lack of clarity on who owns API security, and do not baseline behavior as part of their security capabilities.
With insights from more than 100 cybersecurity professionals, the study showed that though 69% of organizations claim to factor APIs into their cybersecurity strategy, 40% of companies do not have dedicated professionals or teams for API security, while 23% of respondents do not know if there is dedicated API security in their organization. While many organizations (61%) don’t think they have experienced an API attack in the last 12 months, an alarming 36% of respondents are unsure.
Additional highlights include:
- 40% of organizations do not have a dedicated API security professional or team.
- API security ownership remains fragmented between different teams, with 38% of respondents claiming the CISO owns it, while 25% claim Development and/or DevOps takes ownership; and 24% of respondents simply don’t know.
- The majority of respondents (66%) either struggle with API sprawl, or do not know if their company is managing API sprawl effectively.
- 40% of cybersecurity professionals’ companies don’t have an API security solution, and 29% are unsure if their organization is securing APIs at all.
- Among those who have adopted API security tools, 25% of professionals’ solutions can’t baseline API behavior and identify abnormal activity potentially indicative of an API attack; a staggering 50% of respondents were not sure if their API security solution had these capabilities.
“With APIs being a universal attack vector and the cause of some of the biggest data breaches in recent years, it’s very concerning to find out that 40% of organizations do not have a dedicated API security professional or team to tackle this problem, with 23% unsure if they had a team at all. Equally concerning is that 40% of organizations do not have an API security solution in place,” said Richard Bird, Chief Security Officer at Traceable. “In the past, hackers had to devise strategies for getting around existing defenses in order to locate data and interfere with systems. Now, they can simply exploit an API and obtain access to sensitive data without even exploiting the other solutions in the security stack. This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy.”
During RSA,Traceable also continued its commitment to API security with the announcement of its Zero Trust API Access solution, the first-of-its-kind solution that actively reduces your attack surface by minimizing or eliminating implied and persistent trust for your APIs. The announcement followed the news that Zero Trust pioneer John Kindervag and “Dr. Zero Trust” Chase Cunningham have joined Traceable as advisors.
To learn more on how API security can help your business, visit https://www.traceable.ai/request-a-demo.
Methodology
To better understand the state of API security at the RSA Conference 2023, Traceable conducted a survey on the show floor. The team spoke with over 100 security professionals about their recent experience, struggles, and how they are dealing with a new era of threats – specifically API security risks in their organization. Traceable anonymized and compiled this data to produce a report to inform the industry on the trends and patterns of API security.
About Traceable
Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help protect your business, book a demo with a security expert.