“The Analyst Perspective – Observations from Cequence’s 2021 API Specification Survey”

September 28, 2021 | by Joseph Krull

This is the last of my three guest blogs as part of our collaboration with Cequence. In the first blog on August 30, I wrote about how we’ve seen the level of API security knowledge increase since our initial research in 2019 but more must be done to secure the use of APIs in today’s hyperconnected world. In the second blog on September 13, I noted that despite increasing levels of API security maturity, significant breaches and detected vulnerabilities continue to occur at a rapid pace. In that second blog, I provided four recent examples of API-related gaffes and the root cause for each.

API security continues to be a hot topic as APIs are now ubiquitous and are the underpinning of digital transformation initiatives, cloud journeys, and open banking rollouts across the globe. To continually assess the state of API security, we rely on interviews and surveys of technology professionals as well as the fine work of notable security researchers that battle test APIs to look for potential vulnerabilities. Together, these data sources inform our opinions about API security and help organizations with recommendations to improve their API security efforts.

Cequence recently commissioned a formative survey on API security that garnered responses from 100 technology leaders. The survey delved into the methods their organization use to bolster API security as well as their adoption and use of API specifications. Some key results from the Cequence survey follow as well as this analyst’s perspective compared with our other research on API security.

Survey Data Point 1

Just over half (51) of the tech leaders indicated that they rated their organization’s adoption of API security best practices as a focused effort, further defined as they have implemented API testing and enforcement for certain APIs / teams, but not all.

Analyst Perspective – This result tracks with other recent research and underscores that a growing number of tech professionals have now acknowledged the importance of API security, the need to implement controls and oversight, and a commitment to reduce risk to their organizations.

Survey Data Point 2

When asked what tools are used to assess the security of APIs, 31 responders (31%) indicated that no tools are being used. Other responses included dynamic testing (DAST) at 45%, static testing (SAST) at 34%, runtime application security testing (RAST) at 21%, runtime API security assessment at 18%, and runtime API security specification enforcement at 6%.

Analyst Perspective – In Aite Group’s August 2020 research report “API Security: Best Practices for FIs and Fintech and Insurtech Companies” we noted that only 2 of 31 companies we interviewed were doing specific API security testing. The results of Cequence’s survey point to a growing focus on API security testing but clearly demonstrate that more should be performed.

Survey Data Point 3

The survey asked if the responder’s company had API specifications for internally developed APIs. Only 24% indicated that specs are required for all APIs and 54% indicated that their organization has some but not all APIs have documented specs. Of particular interest is that 13% of responders reported that API spec development is just starting and 9% reported that they do not have any API specs at all.

Analyst Perspective – As we’ve previously noted, we consider API specs to be a fundamental component of API security. Specs define how the API functions and its relationship to data sources and other APIs. Specification development can help uncover potential authentication and authorization shortfalls. Spec development can also lead to a threat modeling exercise with security professionals to determine “…so, what’s the worst that can happen?” Based on the survey responses, this area appears to be a great candidate for improvement.

Survey Data Point 4

API visibility continues to be a key indicator of API security maturity. The survey asked the tech leaders how many APIs are in use across their organizations and what methods are used to substantiate their counts. Results were:

Number of APIs:

1 – 20 38.00%
101 – 500 14.00%
21 – 50 22.00%
51 – 100 20.00%
Over 500 6.00%

Counting Method Responses:

We don’t maintain an inventory – it’s my gut estimate 20.00%
We manually maintain an inventory of all our APIs 64.00%
We use an automated tool to track an inventory of our APIs 16.00%

Analyst Perspective – These numbers do not correlate with our previous research on API visibility and appear to be extremely low. Admittedly, the Cequence survey included organizations from other verticals than financial services, but we know API use is growing rapidly across all industries. The results are either an anomaly or point to a continued lack of API visibility – and increased risk of vulnerabilities or breaches due to poor oversight. With only 16% of tech leaders reporting that automated tracking tools are used, this is another area for improvement.

I would encourage anyone interested in API security to review the full details of the Cequence survey as it provides excellent insight into the current state of API security practices at 100 organizations.

And a reminder that I’ll be presenting additional API security research and recommendations along with Cequence’s  Co-founder and CTO Shreyans Mehta in the webinar “Shielding Right to Strengthen Shift Left: Here’s How” on October 6.

­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­Joseph has been a cybersecurity analyst since 2019. He’s worked in information security for more than 45 years. His previous roles include operations officer for the U.S. intelligence community, a CISO at large publicly traded companies, and a cybersecurity strategy consultant for Accenture and PwC. He has worked in 115 countries, and he’s keenly interested in disruptive and emerging cybersecurity technologies.

Joseph Krull

Author

Joseph Krull

CISSP, IAM, CISA, CRISC, CIPP, Senior Cybersecurity Analyst at Aite-Novarica Group

Additional Resources