In its 2023 State of API Security Report, security company Traceable reported a sharp increase in API-related data breaches. The report is based on feedback from 1629 cybersecurity experts in over six major industries across the United States, the United Kingdom and the European Union.
Fully 58% of respondents either strongly agree or agree that APIs are expanding the attack surface across all layers of the technology stack, with fully 57% saying that traditional defensive measures are not capable of distinguishing “legitimate from fraudulent activity at the API layer.”
- 74% Reported at least 3 API-related data breaches in the past two years
- 48% of Organizations say API sprawl is their top challenge
- Just 38% can distinguish between vaild API activity, user behaviors, and data flow
- Organizations are managing an average of 127 third-party API connections
- Majority are not confident in WAF, WAAP or Lifecycle Management Tools to protect APIs
“34% of organizations feel uncertain about the efficacy of their tools like WAF and WAAP, rating them as moderately effective (scores of 5 or 6). Meanwhile, 23% rate theirs as less effective (scores of 1 to 4). Although 43% find their solutions more satisfactory (scores of 7 to 10), it underscores that over half aren’t fully confident in their API security measures” the report stated.
An expert with Approov offers comments:
Ted Miracco, CEO at Approov Mobile Security:
“APIs clearly enable innovation and interoperability, but unfortunately this study reinforces the risks posed by porous APIs and the inadequacy of traditional controls. With API breaches rampant and third-party connections multiplying, many organizations are flying blind. This uncertainty, especially in mobile apps, demands radically new API security paradigms centered on identity, Zero Trust, and continuous validation, and attestation of API requests. Companies must review and in some cases re-architect their API protections. Otherwise it is not a question of “if” but rather of “when” their next API breach will strike.”