The study also found that only 29% of organizations use API security controls embedded in DDoS and load balancing services.
Phishing and missing patches identified as the biggest risk
Survey respondents ranked phishing and missing patches as their top two API security risks. Thirty-eight percent saw phishing for reusable credentials as the biggest API security risk, while 24% saw exploitation of missing patches as a major threat.
“API infrastructure issues like missing patches become API security issues because APIs are more vulnerable. Phishing is a broader security issue that can also occur in the API realm,” said Chokshi.
Other respondents feared a variety of threats, including exploitation of vulnerable APIs (12%), misconfiguration of servers (12%), and users’ inadvertent disclosure of sensitive data (9%).
risk mitigation
62% of respondents are using a web application firewall as part of API risk mitigation. Among these firewalls, the main ones used are Acunetix, Akamai, AWS Shield, Azure WAF, Checkpoint, Cisco, Cloudflare, and ModSecurity.
More than three-quarters (76%) of organizations have trained development staff on application security, most of which use the Open Web Application Security Project (OWASP) Top 10 list of application security and APIs and the MITER ATT&CK framework as a guide to application and API definition. selected as the basis. danger.