By Shay Levi, CTO and co-founder of Noname Security
Today, nearly all businesses in every industry rely on application programming interfaces (APIs) to connect services, transfer data, and control critical systems. A recent 451 Research report highlighted the growing prevalence of APIs, finding that, on average, enterprise organizations have nearly 15,564 APIs in use.
Cognizant of the growing cyber-threat landscape and the risks to APIs, Noname Security recently released the findings of our “The API Security Disconnect–API Security Trends in 2022” report, which surveyed 600 US and UK CISOs and senior cybersecurity professionals from enterprise organizations in six key vertical market sectors: financial services, retail and eCommerce, healthcare, government and public sector, manufacturing, and energy and utilities.
Of the six industry sectors surveyed, manufacturing (79%) reported the highest percentage of API security incidents, while (76%) of total respondents have experienced an API security incident in the last 12 months.
Today’s critical-infrastructure sectors are being shaped by accelerated digital transformation, large-scale economic forces, disrupted supply chains, and the additional after-effects of the COVID-19 pandemic. APIs make digital visions a reality by enabling manufacturers to adopt newer technologies and move away from the heavy lifting of manual tasks with automation. Yet, while digital, connected, and smart systems are on the rise, out of the six industries surveyed, manufacturing respondents (30%) found it the most difficult to scale and implement API security solutions.
Additionally, despite the growing prevalence of APIs in manufacturing, three-quarters (74%) of survey respondents don’t have a complete API inventory or don’t know which APIs return sensitive data. Resulting in what is known as ‘dormant’ or ‘zombie’ APIs, which remain a top API vulnerability for the retail/eCommerce sector (22%), closely followed by manufacturing (21%).
All sectors unanimously agreed that their API security-platform provider helped them to maintain regulatory compliance. Still, manufacturing organizations found it most challenging to scale API security solutions, with just 30% saying they found it easy. Furthermore, manufacturing (20%) and energy & utilities (21%) were most likely to conduct API-security testing less frequently than once per month. Cybersecurity attacks can be detrimental to not only a manufacturer but the supply chain as a whole. You know this. Large plants need to be always on; halting production or downtime costs money, and they often choose to avoid tampering with legacy systems.
With digital-transformation initiatives accelerating in manufacturing, dependency on APIs will only grow. Therefore, manufacturers must focus on API security to set the industry on the right path for the next decade. However, you can’t fix what you can’t see. Companies will need to gain a full scope of their API inventory—all of them.
A comprehensive inventory shifts security choices from guesses to data-backed decisions. To help organizations tackle API inventories, a software security international charity, the OWASP Foundation, has an API Security Top 10 list of the most important API security issues that, if addressed, could have prevented leading cybersecurity breaches such as the recent Optus data breach.