Monthly Archives: September 2023

State of API Security: 2023 Global Findings

The purpose of this research is to understand organizations’ awareness and approach to reducing application programming interface (API) security risks.  Ponemon Institute surveyed 1,629 IT and IT security practitioners in the United States (691) and the United Kingdom and EMEA (938) who are knowledgeable about their organizations’ approach to API security. “The Growing API Security Crisis: A Global Study,” is sponsored by Traceable.


I (Larry Ponemon), and Richard Bird, the Chief Security Officer of Traceable, will present and explain these findings at a webinar Sept. 27 at 9 a.m. You can register for it at this website.

For more details on the study, you can also visit Traceable’s microsite, with additional charts, graphs, and key findings


An API is a set of defined rules that enables different applications to communicate with each other. Organizations are increasingly using APIs to connect services and to transfer data, including sensitive medical, financial and personal data.

According to 57 percent of respondents, APIs are highly important to their organizations’ digital transformation programs. However, APIs with vulnerabilities put organizations at risk to have a significant security breach. Sixty percent of respondents say their organizations have had at least one data breach caused by an API exploitation. Many of these breaches resulted in the theft of IP and financial loss.

 A key takeaway from the research is that while the potential exists for a major security incident due to API vulnerabilities, many organizations are not making API security a priority. Respondents were asked to rate how much of a priority it is to have a security risk profile for every API and to be able to identify API endpoints that handle sensitive data without appropriate authentication on a scale from 1 = not a priority to 10 = a very high priority.

According to our research, slightly more than half of respondents (52 percent) say it is a priority to understand those APIs that are most vulnerable to attacks or abuse based on a security risk profile. Fifty-four percent say the identification of API endpoints that handle sensitive data without appropriate authentication is a high priority.

The average IT security budget for organizations represented in this research is $35 million and an average of $4.2 million is allocated to API security activities. Thirty-five percent of IT and IT security functions are most responsible for the API security budget.

The following findings are evidence that the API security crisis is growing 

  • Organizations are losing the battle to secure APIs. One reason is that organizations do not know the extent of the risk. Specifically, on average only 40 percent of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 26 percent of attacks and an average of only 21 percent of API attacks can be effectively detected and contained.  
  • APIs expand the attack surface across all layers of the technology stack. Fifty-eight percent of respondents say APIs are a growing security risk because they expand the attack surface across all layers of the technology stack and is now considered organizations’ largest attack surface.
  • The increasing volume of APIs makes it difficult to prevent attacks. Fifty-seven percent of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. Further, the increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing (56 percent of respondents). 
  • Organizations struggle to discover and inventory all their APIs. Fifty-three percent of respondents say their organizations have a solution to discover, inventory and track APIs. These respondents say on average their organizations have an inventory of 1,099 APIs. Fifty-four percent of respondents say it is highly difficult to discover and inventory all APIs. The challenge is many APIs are being created and updated so organizations can quickly lose control of the numerous types of APIs used and provided.
  • Solutions are needed to reduce third-party risks and detect and stop data exfiltration events happening through APIs. An average of 127 third parties are connected to organizations’ APIs and only 33 percent of respondents say they are effective in reducing the risks caused by these third parties’ access to their APIs. Only 35 percent of respondents say they are effective in identifying and reducing risks posed by APIs outside their organizations and 40 percent say they are effective in identifying and reducing risks within their organizations. One reason is that most organizations do not know how much data is being transmitted through the APIs and need a solution that can detect and stop data exfiltration events happening through APIs. 
  • To stop the growing API security crisis, organizations need visibility into the API ecosystem and ensure consistency in API design and functionality. Only 35 percent of respondents have excellent visibility into the API ecosystem, only 44 percent of respondents are very confident in being able to detect attacks at the API layer and 44 percent of respondents say their organizations are very effective in achieving consistency in API design and functionality. Because APIs expand the attack surface across all vectors it is possible to simply exploit an API and obtain access to sensitive data and not have to exploit the other solutions in the security stack. Before APIs, hackers would have to learn how to attack each they were trying to get through, learning different attacks for different technologies at each layer of the stack.
  • Inconsistency in API design and functionality increases the complexity of the API ecosystem. As part of API governance, organizations should define standards for how APIs should be designed, developed and displayed as well as establishing guidelines for how they should be used and maintained over time.  
  • Organizations are not satisfied with the solutions used to achieve API security. As shown in the research, most organizations are unable to prevent and detect attacks against APIs. It’s no surprise, therefore, that only 43 percent of respondents say their organizations’ solutions are highly effective in securing their APIs. The primary solution used is encryption and signatures (60 percent of respondents), followed by 51 percent of respondents who say they identify vulnerabilities and 51 percent of respondents who say they use basic authentication. Solutions considered effective but not frequently used are API lifecycle management tools (41 percent), tokens (32 percent) and quotas and throttling (20 percent).  
  • Despite the growing API security crisis, threats to APIs are underestimated by management. Almost one-third of respondents say API security is only somewhat of a priority (17 percent) or not a priority (14 percent). The reasons for not making it a priority are managements’ underestimation of the risk to APIs (49 percent), other security risks are considered more of a threat (42 percent) and the difficulty in understanding how to reduce the threats to APIs (37 percent).

Part 2. Key findings

In this section, we provide an analysis of the global findings. The complete findings are presented on this website. The report is organized according to the following topics.

  • Understanding the growing API security crisis
  • Challenges to securing the unmanageable API sprawl
  • API security practices and the state of API security practices
  • API budget and governance

Understanding the growing API security risk

Organizations have had multiple data breaches caused by an API exploitation in the past two years. Two well-publicized API security breaches include the Cambridge Analytica breach caused by a Facebook API loophole that exposed the personal information of more than 50 million individuals and a Venmo public endpoint unsecured API that allowed a student to scrape 200 million users’ financial transactions.

Sixty percent of respondents say their organizations had a data breach caused by an API exploitation and 23 percent of these respondents say their organizations had between a minimum of 6 and more than 7 exploits in the past two years. The top three root causes of the API exploits are DDoS (38 percent of respondents), fraud, abuse and misuse (29 percent of respondents) and attacks with known signatures (29 percent of respondents).

Organizations are losing the battle to secure APIs. One reason is that organizations do not know the extent of the risk. Specifically, on average only 40 percent of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 26 percent of attacks and an average of only 21 percent of API attacks can be effectively detected and contained,

API exploits can severely impact an organization’s operations.  Organizations mainly suffered from the IP and financial loss (52 percent of respondents). Other serious consequences were brand value erosion (50 percent of respondents) and failures in company operations (37 percent of respondents).

APIs expand the attack surface across all layers of the technology stack. Some 58 percent of respondents say APIs are a security risk because they expand the attack surface across all layers of the technology stack and is now considered organizations’ largest attack surface.  Fifty-seven percent of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. The increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing.  As a result, 56 percent of respondents say the volume of APIs makes it difficult to prevent attacks.

Challenges to securing the unmanageable API sprawl

Open and public APIs are most often used and/or provided by organizations. Thirty two percent of respondents say their organizations use/provide open APIs and 31 percent of respondents say their organization use/provide public APIs.

Organizations struggle to discover and inventory all their APIs. Fifty-three percent of respondents say their organizations have a solution to discover, inventory and track APIs. These respondents say on average their organizations have an inventory of 1,099 APIs.

Fifty-four percent of respondents say it is highly difficult to discover and inventory all APIs. The challenge is many APIs are being created and updated so organizations can quickly lose control of the numerous types of APIs used and provided.

An average of 127 third parties are connected to organizations’ APIs and only 33 percent of respondents say they are effective in reducing the risks caused by these third parties’ access to their APIs. Only 35 percent of respondents say they are effective in identifying and reducing risks posed by APIs outside (35 percent) and within (40 percent) their organizations. One reason is that most organizations do not know how much data is being transmitted through the APIs and need a solution that can detect and stop data exfiltration events happening through APIs.

To stop the growing API security crisis, organizations need visibility into the API ecosystem and ensure consistency in API design and functionality. However, only 35 percent of respondents have excellent visibility into the API ecosystem, only 44 percent of respondents are very confident in being able to detect attacks at the API layer and 44 percent of respondents say their organizations are achieving consistency in API design and functionality.

Because APIs expand the attack surface across all vectors it is possible to simply exploit an API and obtain access to sensitive data and not have to exploit the other solutions in the security stack. Before APIs, hackers would have to learn how to attack each they were trying to get through, learning different attacks for different technologies at each layer of the stack.

Inconsistency in API design and functionality increases the complexity of the API ecosystem. As part of API governance, organizations should define standards for how APIs should be designed, developed and displayed as well as establishing guidelines for how they should be used and maintained over time.

To download and read the rest of this report, visit Traceable’s website.

Forced into fraud: Scam call centers staffed by human trafficking victims

Bob Sullivan

Who’s on the other end of the line when you get a scam phone call? Often, it’s a victim of human trafficking whose safety — and perhaps their life — depends on their ability to successfully steal your money. A recent UN report suggests there are hundreds of thousands of trafficking victims forced to work in sweatshops in Southeast Asia devoted to one thing: Stealing money. If they don’t, they go hungry, or they are beaten … or worse.

In other words, there are often victims on both ends of scam phone calls.

Americans report they are inundated with scam phone calls, emails and text messages, and FBI data shows losses are skyrocketing.  Crypto scams alone increased more than 125% last year, with $3.3 billion in reported losses.  These numbers are so large that they are meaningless to most; and you’ve probably heard before that this or that crime is skyrocketing, so perhaps that alarmist-sounding statement doesn’t penetrate.  But let me say this: I spend all week talking to victims of scams and law enforcement officials about tech-based crimes, and by any measure I can observe, there is a very concerning spike in organized online crime.

A recent report published by the United Nations helps explain why — for some “criminals,” stealing money from you is a matter of life and death.

The recent surge of activity dates to the pandemic, the report says. Public health measures forced the abrupt closing of casinos in places like Cambodia, which sent operators — including some controlled by criminal networks — looking for alternative revenue streams.  The toxic combination of out-of-work casino employees and a new tool that made international theft easy — cryptocurrency — led to an explosion in “scam centers” devoted to romance crimes, fake crypto investment schemes, and so on.

The scam centers have an endless need for “workers.” Many are lured from other Asian nations by help-wanted ads with promises of big salaries and work visas. Instead, new arrivals are often faced with violence, their passports taken, their families left wondering what happened — or, called with ransom demands.

There have been plenty of horror stories with anecdotes about forced scam center labor. Here’s one account from a Malaysian man who went to Thailand for what he thought was a legitimate job.

  • “Ah Hong soon found out that he was to carry out online scams for a call center that targeted people living in the United States and Europe. Everyone working there was given a target and those who failed to achieve it would be punished. “Punishment included being forced to run in the hot sun for two hours, beaten by sticks or asked to carry heavy bricks for long hours. “If we made a mistake, we were tasered,” he said. Ah Hong added that he was once punished by having to move bricks from 7 a.m. to 5 p.m., besides being beaten multiple times. A typical working day, he said, would begin at midnight and end at 5 p.m.

He was only released when his family paid his ransom.

The recent United Nations report attempted to estimate how many Ah Hongs there are.  The report’s conclusion is terrifying.

  • The number of people who have fallen victim to online scam trafficking in Southeast Asia is difficult to estimate because of its clandestine nature and gaps in the official response. Credible sources indicate that at least 120,000 people across Myanmar may be held in situations where they are forced to carry out online scams, while credible estimates in Cambodia have similarly indicated at least 100,000 people forcibly involved in online scams.

We only know what happens to these trafficking victims from the stories of those, like Hong, who have escaped.  The UN report details more horrors about conditions in these scam centers.

  • Reports have also been received of people being chained to their desk. Many victims report that their passports were confiscated, often along with their mobile phones or they were otherwise prohibited from contacting friends or family, a situation that UN human rights experts have described as ‘detention incommunicado’.
  • In addition, there is reportedly inadequate access to medical treatment with some disturbing
    cases of victims who have died as a result of mistreatment and lack of medical care. Reports commonly describe people being subjected to torture, cruel and degrading treatment and punishments including the threat or use of violence (as well as being made to witness violence against others) most commonly beatings, humiliation, electrocution and solitary confinement, especially if they resist orders or disobey compound rules or if they do not meet expected
    scamming targets. Reports have also been received of sexual violence, including gang rape as well as trafficking into the sex sector, most usually as punishment, for example for failing to meet their targets.

When I hear stories from the victim’s point of view, I am often amazed at how relentless the criminals can be. Some spend months, even years, grooming victims with faux attention and love.  Understanding how high the stakes are for the people on the other end of the phone helps explain why they can be so determined.

From a self-preservation point of view, I think it’s crucial we understand just why scam criminal activity is thriving right now.  But from a human rights point of view, it’s critical we call out this hideous behavior and work to stop it. The UN paper blames several factors, but one that caught my eye is the existence of Special Enterprise Zones — SEZs — designed to help support new industries. Ideally, SEZs encourage entrepreneurship by cutting red tape. But in some cases, they have become synonymous with “opaque regulation and the proliferation of multiple illicit economies, including human trafficking, illegal wildlife trade, and drug production,” the report says.

It’s also interesting to think about the implications for trafficking victims. Even after they are released or they manage to escape, many face challenges back home for being involved in criminal operations. The UN report stresses that scam center victims — like other human trafficking victims — are not legally responsible for crimes they were forced to commit against their will.  They should not face prosecution; doing so only prevents more victims from coming forward.

“People who are coerced into working in these scamming operations endure inhumane treatment while being forced to carry out crimes. They are victims. They are not criminals,” said UN High Commissioner for Human Rights Volker Türk. “In continuing to call for justice for those who have been defrauded through online criminality, we must not forget that this complex phenomenon has two sets of victims.”

The report also makes clear who likely victims are:

  • Most people trafficked into the online scam operations are men, although women and adolescents are also among the victims…Most are not citizens of the countries in which the trafficking occurs. Many of the victims are well-educated, sometimes coming from professional jobs or with graduate or even post-graduate degrees, computer-literate and multilingual. Victims come from across the ASEAN region (from Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam), as well as mainland China, Hong Kong and Taiwan, South Asia, and even further afield from Africa and Latin America.

Every thoughtful adult should read the UN report, and make sure your friends and family understand why the stakes in the scam world have become so high.