F5 API Sprawl Rept. Finds Nine In 10 Enterprises Had An API Security Incident In 2020

BACKGROUND:

F5’s new report “Continuous API Sprawl: Challenges and Opportunities in an API-Driven Economy” exposes security threats posed by the global proliferation of APIs. It cites sectors such as retail and financial services, and notes more generally that: “More than nine out of ten of enterprises experienced an API security incident in 2020. Every API thus becomes a point on the security perimeter that can be potentially compromised if not properly architected or protected.”

“The number of APIs by 2030 will be in the 100s of millions, making it a significant scalability, manageability, and security challenge for our customers and the industry. It does not matter what parameters of the model we tweak; API sprawl will be a global problem. Discovery, networking, integration, and security are set to become significant challenges for the entire Dev and Ops ecosystem.” “APIs are prone to fraud and malicious behavior. External APIs must be validated continuously for trust, and internal API keys can be compromised, giving attackers access to critical infrastructure. If data is the new oil, then APIs could unfortunately become the new plastic, with byproducts wreaking havoc on the ecosystem.”

Experts Comments

November 05, 2021
George McGregor
VP of Marketing
Approov

The report does discuss the issue of "secrets sprawl", highlighting how secrets such as API keys are often exposed when spread across a distributed infrastructure. It only takes one such key to allow an attacker to access illicitly an application service through an API and gain access to critical infrastructure. However, the report does not fully explore how the exploitation of such stolen secrets can actually be blocked in real-time. Such solutions do exist and should be evaluated by anyone

.....Read More

The report does discuss the issue of "secrets sprawl", highlighting how secrets such as API keys are often exposed when spread across a distributed infrastructure. It only takes one such key to allow an attacker to access illicitly an application service through an API and gain access to critical infrastructure. However, the report does not fully explore how the exploitation of such stolen secrets can actually be blocked in real-time. Such solutions do exist and should be evaluated by anyone who wants to take API security seriously.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.