Enterprise platforms have a major API security gap, with 84% of organizations exposing sensitive data through APIs without adequate safeguards, new research from Raidiam has revealed.
The study, which profiled 68 companies in sectors like fintech, SaaS, and payments, highlights a growing disconnect between the sensitivity of data flowing through APIs and the strength of API protections, particularly outside regulated environments like Open Banking.
“API security should not be an afterthought,” said David Oppenheim, Head of Enterprise Strategy at Raidiam. “The gap between data sensitivity and control strength is no longer just a technical concern – it’s a board level risk.”
Outdated Defenses, Sensitive Data
The report also revealed that although 85% of organizations surveyed handle payment data or special category personal information – such as identity claims, account details, or religious affiliation – only one met the benchmark for modern, cryptographic API security.
The vast majority still depend on outdated mechanisms like static API keys or shared secrets via basic OAuth2.0, leaving them exposed to credential theft, token replay, and impersonation attacks.
In total, Raidium placed 57 out of 68 organizations (84%) in the “Act urgently” category of it Security vs Sensitivity Matrix, indicating dangerously inadequate API security relative to the sensitivity of the exposed resources.
These gaps are more than theoretical. The report references the Dell partner API breach in 2023, where an attacker posing as a fake partner was able to scrape 49 million customer records using a script that exploited an unsecured API endpoint lacking rate limits or behavioral monitoring.
An Industry-Wide Blind Spot
The findings underscore a broader industry failure to treat API security as a strategic priority. Despite the rapid proliferation of APIs to support mobile apps, partner integrations, and cloud services, most enterprises lack basic, API-tailored:
- Runtime monitoring
- Penetration testing
- Anomaly detection
Moreover, less than half the organizations surveyed conduct regular API-specific testing or implement fine-grained authorization controls such as attribute-based access control (ABAC).
Insecure API credentials are an especially common weak point. Many organizations fail to rotate secrets or store them securely, and static bearer continue even in environments processing high-value data.
“It’s the digital equivalent of leaving the vault door open,” Oppenheim warned. “Without mutual TLS, certificate-bound tokens, and modern access controls, attackers can and will exploit these weaknesses.”
Roadmap to Remediation
To close the widening gap, Raidiam suggests a four-step remediation strategy:
- Elevate API security to a board-level priority, with clear ownership, governance processes, and ongoing reporting.
- Modernise controls by adopting strong cryptographic techniques such as mutual TLS, certificate-bound OAuth tokens, and private key JWTs.
- Invest in developer training, secure coding practices, and dedicated API testing frameworks to embed security into the development lifecycle
- Engage trusted partners to fast-track adoption of proven infrastructure and standards, such as Publick Key Infrastructure (PKI), FAPI, and Zero-Trust aligned architectures.
The report also stresses that regulated sectors, such as Open Banking in UK, already enforce these higher standards, including full mutual TS, dynamic client authentication, and signed JWT assertions. As Mastercard and VISA begin mandating mTLS for APIs, the private sector has a clear path to follow.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.