API security incidents are rising

85% of UK respondents have suffered an API security incident in the last 12 months compared to an overall average of 78%.

  • Friday, 29th September 2023 Posted 1 year ago in by Phil Alsop

Noname Security has published the findings from its annual API security report, “The API Security Disconnect 2023”. Twelve months on from the inaugural study, the report reveals that the number of API security incidents is rising, and as a result API security is more of a priority now than it was 12 months ago.

However, at odds with this is the level of confidence to tackle these incidents. In 2022 61% said they were confident in their DAST and SAST tools for API testing, but despite more security incidents taking place in the interim, in 2023 94% say they are confident that their current application testing tools are capable of testing APIs for vulnerabilities.

The report surveyed both UK and USA respondents and found that 84% of UK businesses said that API security is more of a priority now than it was 12 months ago, compared to 78% of USA respondents. However, 85% of UK respondents have suffered an API security incident in the last 12 months, a 10.6% year-on-year increase and higher than the average of 78%.

Other key UK findings include:

51% of UK respondents cited fees incurred to help fix the issues as the biggest impact of an API security incident.

50% cited loss of customer goodwill and churned accounts, similarly 49% said loss of productivity was the biggest impact.

52% of UK respondents now view API security as a necessary requirement for their business.

47% say it is a business enabler.

54% of UK respondents say their developers are spending between 26% and 50% of their time on refactoring and remediation.

The survey examined the most common attack vectors experienced by UK respondents, and they cited Network Firewalls (24%), Web Application Firewalls (23%), and API Gateways (17%). This is a change from last year, when Dormant or Zombie APIs and Authorisation Vulnerabilities were at the top of the list (both 19%).

Overall, the visibility of API inventories has improved compared to 2022. In this year’s report, 70% of UK respondents said they had a full inventory of their APIs, compared to 66% in 2022. However, this year the numbers dropped slightly for those who have a full inventory but don’t know which return sensitive data - to 34% in the UK in comparison to 38% last year.

Amidst a growing number of API security incidents, Noname Security’s research revealed an increase in real-time API security testing. The number of UK respondents testing in real-time increased slightly from 14% in 2022 to 17% in 2023, whereas 53% of UK respondents tested in real-time or once a day.

Shay Levi, Noname Security CTO and co-founder, comments on the findings: “The continuing increase in reported API security incidents over the last two years demonstrates that this is not a fleeting trend but a pressing reality that organisations must deal with and prioritise. APIs are indispensable in today’s modern environment, but everyone is worried about ransomware, phishing attacks, and data breaches. This research validates why security leaders must continue to prioritise API security.”