The study also revealed that only 29% of the organizations use API security controls that are included in DDoS and load balancing services.
Phishing and missing patches identified as greatest risks
Survey respondents ranked phishing and missing patches as the top two API security risks. While 38% saw phishing to obtain reusable credentials as their top API security risk, exploitation of missing patches was considered a prime threat by 24%.
“API infrastructure concerns, like missing patches, become API security concerns because the API is left more vulnerable. Phishing is a broader security concern that can also occur in the realm of APIs,” Chokshi said.
Other respondents feared different threats, including exploitation of vulnerable APIs (12%), misconfiguration of servers (12%), and accidental disclosure of sensitive data by users (9%).
Risk mitigation
Sixty-two percent of respondents are using web application firewalls as part of API risk mitigation. Amongst these firewalls, the leading products used are Acunetix, Akamai, AWS Shield, Azure WAF, Checkpoint, Cisco, Cloudflare, and ModSecurity.
More than three quarters (76%) of the organizations train development staff on application security, with most citing Open Web Application Security Project (OWASP) Application Security and API Top Ten lists, and the MITRE ATT&CK Framework as the basis for defining application and API risk.