We surveyed over 50 organisations across Australia and New Zealand about the State of APIs with a section of the survey dedicated to API Security.
We found confidence around maturity and security yet some missing ingredients of best practice approaches. The survey also highlighted the pragmatic trade-offs that teams need to make on a daily basis, as well as the different ways engineers and managers view those trade-offs.
This article shares some of the key insights from the security section of the 2022 State of API Report in Australia and New Zealand.
Confident yet missing key security practices
Organisations were mostly confident about security yet when probed on specifics of how they handle security were missing key practices that lead to success.
A specific example of this is that despite a large proportion of the respondents not having a high degree of observability across their API inventory, they, somewhat contradictorily, were confident or very confident in their organisation’s ability to detect a breach.
Regardless of the self-reported level of sophistication of API security, when breach occurrences were segmented by those self-reporting with high sophistication and low sophistication, there was no discernible difference in the overall breach rate.
This data illustrates that, even if you think you’re mature in terms of security, you are equally as vulnerable as other organisations—it appears that we are not good judges of our own organisation’s security. The relatively high breach rate per organisation also shows us that the API security war is far from over.
Security does not lend itself to a ‘set and forget’ mentality—it is an ever-evolving journey to keep pace with the increasing sophistication of cyber attacks. Artificial intelligence and machine learning has an important role to play in cybersecurity, in helping to close the gap.
Quoting Peter Drucker, ‘You can’t improve what you don’t measure.’ An interesting observation to come out of the survey was that while many respondents self-rated their security as sophisticated, their level of observability didn’t correlate.
This unexpected lack of correlation could be explained by a lack of awareness of how API attacks have evolved—for example, attacks now focus on business logic abuse, which from the perspective of a WAP or API gateway looks like legitimate traffic. It’s only by leveraging artificial intelligence, machine learning, and more contextually aware behavioural-based anomaly detection that these more advanced attacks can be picked up. This does not say that these devices should be replaced, but rather advocates for a multi-layered, defence-in-depth approach to security.
Security, functionality, usability tradeoffs
Security, functionality, and usability are all competing concepts. Even though, holistically, security is deemed as important, finding a balance and suitable tradeoffs between the three areas frequently results in friction between development and security teams.
This view was validated through segmentations of the survey data. An investigation of Figure 5 shows a strong security bias by managers, which is further supported by the Postman “State of API” report, which saw respondents rank security as the 4th biggest development priority.
Inline with other global API surveys, tensions in the security, functionality, and useability triangle hold true in Australia and New Zealand. Additionally, this insight into the conflicting priorities and perceptions between different functional teams—with management being more biassed to city security centricity—reveals an interesting tension.
noname security’s research in this field has shown that just over a third of responders had projects delayed due to API security concerns, and 87% of those people believed more efficient integration of API security testing into developer pipelines activities could have prevented those delays.
From our industry perspective, we believe that one approach to help reduce security, functionality, and usability friction is via automation, directly integrating with the Developers own tool sets and methodologies. By removing the barriers to entry, so to speak, organisations can employ “shift left” and “secure by design” strategies.
Get the full report
Thanks to Troy Leliard, Regional Solution Architect Lead at noname security for his contribution to this piece.
You can download the complete report for the State of API in Australia and New Zealand here, or via the form below.