The Secrets of APIs...

Our modern Internet landscape relies heavily on APIs to connect all the different applications and interfaces we use in our daily lives. Modern applications that use APIs to communicate are fazing out legacy app structures, and will outnumber them by 85% by the end of the decade. 

Therefore, our use and dependence on APIs is only set to rise.

And already, we are seeing a high rate of API attacks that are growing in both volume and complexity as of 2024. To learn more about these attacks and the patterns they follow, read our State of API Security 2024 report.

One of the biggest challenges in API security is that APIs are commonly misunderstood. Because they are fairly new, many still do not understand how they work, and some developers do not even know the full number of APIs in their landscape.

The Secret Life of APIs…

But where do APIs live? And how do they interact? What languages do they use?

A recent study from F5 attempts to answer these questions and more. F5 surveyed a variety of companies across industries about their API use and API security. The majority of companies reported having a large number of APIs, depending on the industry and revenue.

The average company with a yearly revenue over $1B reports using around 1,000 apps and at least 1,400 APIs. And 41% of companies today report managing at least as many APIs as they do applications. 

“On average, deployed APIs significantly outnumber apps, and the ratio of APIs to apps tends to increase with company size.”

Of the companies that use APIs, 95% of them also employ API gateways as a security measure. However, gateways alone are not enough for a strong API security posture. But let’s backtrack, a bit.

Where do APIs live?

“Most APIs today are hosted in a public cloud.”

APIs live in the cloud, and the majority of them are public-facing, up to 51%. However there are private API endpoints that certain companies use, which come with their own unique sets of risks- we go into more detail about these in this blog post. 

How do APIs communicate?

APIs communicate using a variety of different programming languages.

The majority (52%) exchange data using JSON, although the long-lived XML format is still a force, with 27% of APIs relying on it. The GraphQL language, now used by 13% of APIs, is also gaining ground.

A large number of API users do not fully understand the way APIs connect applications and platforms. But understanding the language and logging all interactions between endpoints is key to staying on top of your API security posture. As others have said: documentation is king.

Who secures APIs?

You would think the responsibility of API security would automatically fall to security teams. And you’re right to assume so. 

A solid 53% of organizations do believe it is their responsibility. 

However, nearly one-third of respondents spread API security across different job functions and therefore believe it is a group effort depending on the APIs and what the API is used for. This approach can lead to API security falling through the cracks for many organizations.

Two thirds of organizations leave operational workflow APIs unsecured.

Secure by Design is a good philosophy to employ, and up to 80% of organizations are attempting to begin their API security during the design phase. 

Zero Trust is another philosophy that can be very helpful in API security, however it seems that organizations are neglecting to apply Zero Trust across the board when it comes to their API landscapes.

“Adapting to a security model that must consider both inbound and outbound API traffic will be a challenge for many organizations.”

SSL can help with a basic level of encryption for these APIs, but the use is still low and many of them are left exposed.

There are many challenges that come with API security, including lack of visibility and understanding starting at the discovery stage. A large part of this problem stems from oversaturation of APIs in the landscape.

“The average organization manages 421 different APIs spread across infrastructure environments, applications and architectures.”

This brings back questions about logging problems that we’ve discussed before, such as the wide variation in the availability, format and usefulness of various API logs. 

The problem is, even one simple transaction can use dozens of APIs. Take the example of ordering takeout. Even one simple food delivery order becomes a lot less simple when you start dissecting each individual API call required.

Therefore, it is not surprising that APIs are only rising in use, which is making it increasingly difficult to keep all of them secure.

“The difficulty will only grow as the API estates of most organizations expand by an expected 10% or more over the next two to three years.”

This will only lead to more breaches and incidents in the not-so-far future.

So what can we do?

API security platforms can help developers and teams keep their APIs secure. 

When it comes to these platforms, the number one thing people look for is programmability. 

In an age where security is so complex and falls on so many heads, the ideal solution simplifies and automates the process as much as possible. 

Takeaways

API security is a major issue for companies in all kinds of industries in today’s cyber landscape. However, it is a lucrative problem as most APIs live in the cloud and API security is still a widely misunderstood concept. 

Many people disagree on whose responsibility it should be, or how APIs should be secure. And many more people do not even know all the APIs that live in their landscape and if their endpoints are secure. 

To learn more about API security or see how FireTail can help with your API security, schedule a demo here or try it out for free yourself, today.