RSAC 2020 Survey — API Security Attitudes & Trends
CloudVector attended RSA Conference 2020 to exhibit in the Early Stage Expo, a specialized pavilion for up-and-coming cybersecurity vendors away from the hustle and bustle of the main show floor. The Early Stage Expo can only be accessed by RSA Attendees or those with Expo Plus badges, so the conversations are much more likely to be with hands-on practitioners. With this in mind, we wanted to take the opportunity to discuss API security attitudes and trends, so we created our survey accordingly. More than 100 Early Stage Expo attendees responded.
Question #1: Are digital transformation and cloud migration trends driving the increased usage of APIs across your enterprise?
11% Don’t Know
The response to this question should come as no surprise to anyone. Digital transformation and cloud migration trends of the past decade are creating and proliferating more and more APIs across the enterprise on a daily basis.
Question #2: Which type(s) of APIs is your organization using (select all that apply)?
68% Public (exposed APIs for third-party integrations)
80% Private (internal APIs for enterprise applications)
76% Third-party (external APIs integrated into applications)
When we asked this question, it turns out that only one respondent said their organization wasn’t using APIs. Almost every organization is using APIs, and more than half (56%) are using all three. These responses lead us to believe that most organizations are driving business value, and embracing agile development, by building applications that use internally-developed APIs, as well as from third-parties. The reality is that APIs are a powerful tool because they are so flexible, but that is also their greatest weakness; attackers exploit APIs through their flexible parameters, which is why it is so important to create an API catalog to record their specifications.
Question #3: Does your organization’s DevOps function catalog its API specifications?
31% Yes, but they are incomplete or outdated
This result is a mixed bag. The good news is that nearly two-thirds of organizations have a DevOps function that is cataloging its API specifications, which makes it easier to monitor and secure them. But the bad news is that one-third are incomplete or outdated, which makes them more difficult to monitor and secure, and another third are missing an API catalog completely. The lack of API specs, or outdated specs, pose a severe risk because it is the biggest blindspot for both DevOps and Sec Ops. By the way, we have a free tool for DevOps to discover and catalog their APIs in Kubernetes environments called API Shark–check it out.
Question #4: Does your organization have a way to discover unknown or outdated APIs (including shadow APIs) to create API blueprints/catalogs/specifications?
25% Don’t Know
There is no more good news here. Almost half of organizations are missing the capability to discover unknown or outdated APIs, which represents another blindspot when you consider the missing, incomplete and outdated API catalogs we uncovered in the previous question. We haven’t had the time to correlate the results between questions, but it wouldn’t surprise us if the same organizations that are missing API catalogs from DevOps are also missing the ability to discover them independently. We will produce a follow-up blog post in a few weeks that examines some of these potential correlations.
Question #5: Does your organization have a way to monitor the data within its API traffic (including encrypted traffic)?
6% Don’t Know
This answer is actually pretty surprising, almost half of respondents said their organization has a way to monitor the data within its API traffic, including encrypted traffic. We suspected this number would be much lower, and if we knew it was going to be so high it would have been good to ask them how they are doing it.
Question #6: How does your organization detect API abuse and data exfiltration of “north-south” (inbound-outbound) API traffic?
24% API Management Gateway
63% Web Application Firewall
12% Next-generation API Security
The prevailing mindset around API security is to use a gateway to protect internal to external API traffic (and vice versa). And we can see that Web Application Firewalls are preferred at a 3:1 ratio by security practitioners at RSA Conference. It’s also great to see the emerging adoption of Next-generation API Security, such as our own company, CloudVector. Next-gen API Security is now a critical service in light of the proliferation of APIs and the evidence of advanced API threats that are beyond the scope of legacy solutions. Specifically, the fact that 80% of organizations are using private APIs for their own internal applications should be a concern because this sort of East-West traffic cannot be protected by traditional gateways.
Question #7: Does your organization have a way to detect API abuse and data exfiltration of internal “east-west” (application-to-application) API traffic?
20% Don’t Know
This is the crux of the risk we have been discussing. Organizations are increasing the use of APIs, they overwhelmingly favor internal/private APIs, yet they lack visibility into them from the creation of API catalogs to the discovery of unknown APIs, and ultimately to protecting this internal application-to-application API traffic. We fully expect to see a rash of API breaches leveraging this attack vector until organizations get a better grasp of how to discover, monitor and secure their API risk surface.
Question #8: In the past 12 months, has your organization detected any reconnaissance attempts to exploit your APIs?
34% Don’t Know
This is no paper tiger. One-third of organizations have detected reconnaissance attempts to exploit their APIs in the past year. And judging from the missing API security controls we’ve seen up and down these survey results, I suspect the number is actually much higher. Don’t get caught with your guard down. Request a live demo today to see how CloudVector can improve your API security posture.