Akamai’s latest study finds organizations are not prepared for API-based attacks as most report scant controls. Credit: Photon photo Fewer than a third of companies use API-specific controls as part of their cloud application security regime, according to a study by cloud security service provider Akamai. For the study, Akamai partnered with SANS Institute to survey 231 respondents actively involved in the application security domain in global organizations,. Survey participants mostly noted phishing and missing patches as the top API security concerns. Significant lag in API security controls Just under half (49.7%) of the respondents said that their organization has been using API security testing, with only 5.6% using it for more than 10 years. Even fewer (29%) of them use API discovery, with 3.9% using it for above 10 years. “These findings indicate the necessity of defense in depth when it comes to API Security, which can be achieved by layering protections across the API estate,” said Rupesh Chokshi, general manager of application security at Akamai. While API security testing allows for the secure development of APIs, discovery tools help organizations keep running knowledge of the location of their APIs. The study also revealed that only 29% of the organizations use API security controls that are included in DDoS and load balancing services. Phishing and missing patches identified as greatest risks Survey respondents ranked phishing and missing patches as the top two API security risks. While 38% saw phishing to obtain reusable credentials as their top API security risk, exploitation of missing patches was considered a prime threat by 24%. “API infrastructure concerns, like missing patches, become API security concerns because the API is left more vulnerable. Phishing is a broader security concern that can also occur in the realm of APIs,” Chokshi said. Other respondents feared different threats, including exploitation of vulnerable APIs (12%), misconfiguration of servers (12%), and accidental disclosure of sensitive data by users (9%). Risk mitigation Sixty-two percent of respondents are using web application firewalls as part of API risk mitigation. Amongst these firewalls, the leading products used are Acunetix, Akamai, AWS Shield, Azure WAF, Checkpoint, Cisco, Cloudflare, and ModSecurity. More than three quarters (76%) of the organizations train development staff on application security, with most citing Open Web Application Security Project (OWASP) Application Security and API Top Ten lists, and the MITRE ATT&CK Framework as the basis for defining application and API risk. Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 06, 2024 9 mins RSA Conference Security feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe