State of API Security: 2023 Global Findings

The purpose of this research is to understand organizations’ awareness and approach to reducing application programming interface (API) security risks.  Ponemon Institute surveyed 1,629 IT and IT security practitioners in the United States (691) and the United Kingdom and EMEA (938) who are knowledgeable about their organizations’ approach to API security. “The Growing API Security Crisis: A Global Study,” is sponsored by Traceable.


I (Larry Ponemon), and Richard Bird, the Chief Security Officer of Traceable, will present and explain these findings at a webinar Sept. 27 at 9 a.m. You can register for it at this website.

For more details on the study, you can also visit Traceable’s microsite, with additional charts, graphs, and key findings


An API is a set of defined rules that enables different applications to communicate with each other. Organizations are increasingly using APIs to connect services and to transfer data, including sensitive medical, financial and personal data.

According to 57 percent of respondents, APIs are highly important to their organizations’ digital transformation programs. However, APIs with vulnerabilities put organizations at risk to have a significant security breach. Sixty percent of respondents say their organizations have had at least one data breach caused by an API exploitation. Many of these breaches resulted in the theft of IP and financial loss.

 A key takeaway from the research is that while the potential exists for a major security incident due to API vulnerabilities, many organizations are not making API security a priority. Respondents were asked to rate how much of a priority it is to have a security risk profile for every API and to be able to identify API endpoints that handle sensitive data without appropriate authentication on a scale from 1 = not a priority to 10 = a very high priority.

According to our research, slightly more than half of respondents (52 percent) say it is a priority to understand those APIs that are most vulnerable to attacks or abuse based on a security risk profile. Fifty-four percent say the identification of API endpoints that handle sensitive data without appropriate authentication is a high priority.

The average IT security budget for organizations represented in this research is $35 million and an average of $4.2 million is allocated to API security activities. Thirty-five percent of IT and IT security functions are most responsible for the API security budget.

The following findings are evidence that the API security crisis is growing 

  • Organizations are losing the battle to secure APIs. One reason is that organizations do not know the extent of the risk. Specifically, on average only 40 percent of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 26 percent of attacks and an average of only 21 percent of API attacks can be effectively detected and contained.  
  • APIs expand the attack surface across all layers of the technology stack. Fifty-eight percent of respondents say APIs are a growing security risk because they expand the attack surface across all layers of the technology stack and is now considered organizations’ largest attack surface.
  • The increasing volume of APIs makes it difficult to prevent attacks. Fifty-seven percent of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. Further, the increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing (56 percent of respondents). 
  • Organizations struggle to discover and inventory all their APIs. Fifty-three percent of respondents say their organizations have a solution to discover, inventory and track APIs. These respondents say on average their organizations have an inventory of 1,099 APIs. Fifty-four percent of respondents say it is highly difficult to discover and inventory all APIs. The challenge is many APIs are being created and updated so organizations can quickly lose control of the numerous types of APIs used and provided.
  • Solutions are needed to reduce third-party risks and detect and stop data exfiltration events happening through APIs. An average of 127 third parties are connected to organizations’ APIs and only 33 percent of respondents say they are effective in reducing the risks caused by these third parties’ access to their APIs. Only 35 percent of respondents say they are effective in identifying and reducing risks posed by APIs outside their organizations and 40 percent say they are effective in identifying and reducing risks within their organizations. One reason is that most organizations do not know how much data is being transmitted through the APIs and need a solution that can detect and stop data exfiltration events happening through APIs. 
  • To stop the growing API security crisis, organizations need visibility into the API ecosystem and ensure consistency in API design and functionality. Only 35 percent of respondents have excellent visibility into the API ecosystem, only 44 percent of respondents are very confident in being able to detect attacks at the API layer and 44 percent of respondents say their organizations are very effective in achieving consistency in API design and functionality. Because APIs expand the attack surface across all vectors it is possible to simply exploit an API and obtain access to sensitive data and not have to exploit the other solutions in the security stack. Before APIs, hackers would have to learn how to attack each they were trying to get through, learning different attacks for different technologies at each layer of the stack.
  • Inconsistency in API design and functionality increases the complexity of the API ecosystem. As part of API governance, organizations should define standards for how APIs should be designed, developed and displayed as well as establishing guidelines for how they should be used and maintained over time.  
  • Organizations are not satisfied with the solutions used to achieve API security. As shown in the research, most organizations are unable to prevent and detect attacks against APIs. It’s no surprise, therefore, that only 43 percent of respondents say their organizations’ solutions are highly effective in securing their APIs. The primary solution used is encryption and signatures (60 percent of respondents), followed by 51 percent of respondents who say they identify vulnerabilities and 51 percent of respondents who say they use basic authentication. Solutions considered effective but not frequently used are API lifecycle management tools (41 percent), tokens (32 percent) and quotas and throttling (20 percent).  
  • Despite the growing API security crisis, threats to APIs are underestimated by management. Almost one-third of respondents say API security is only somewhat of a priority (17 percent) or not a priority (14 percent). The reasons for not making it a priority are managements’ underestimation of the risk to APIs (49 percent), other security risks are considered more of a threat (42 percent) and the difficulty in understanding how to reduce the threats to APIs (37 percent).

Part 2. Key findings

In this section, we provide an analysis of the global findings. The complete findings are presented on this website. The report is organized according to the following topics.

  • Understanding the growing API security crisis
  • Challenges to securing the unmanageable API sprawl
  • API security practices and the state of API security practices
  • API budget and governance

Understanding the growing API security risk

Organizations have had multiple data breaches caused by an API exploitation in the past two years. Two well-publicized API security breaches include the Cambridge Analytica breach caused by a Facebook API loophole that exposed the personal information of more than 50 million individuals and a Venmo public endpoint unsecured API that allowed a student to scrape 200 million users’ financial transactions.

Sixty percent of respondents say their organizations had a data breach caused by an API exploitation and 23 percent of these respondents say their organizations had between a minimum of 6 and more than 7 exploits in the past two years. The top three root causes of the API exploits are DDoS (38 percent of respondents), fraud, abuse and misuse (29 percent of respondents) and attacks with known signatures (29 percent of respondents).

Organizations are losing the battle to secure APIs. One reason is that organizations do not know the extent of the risk. Specifically, on average only 40 percent of APIs are continually tested for vulnerabilities. As a result, organizations are only confident in preventing an average of 26 percent of attacks and an average of only 21 percent of API attacks can be effectively detected and contained,

API exploits can severely impact an organization’s operations.  Organizations mainly suffered from the IP and financial loss (52 percent of respondents). Other serious consequences were brand value erosion (50 percent of respondents) and failures in company operations (37 percent of respondents).

APIs expand the attack surface across all layers of the technology stack. Some 58 percent of respondents say APIs are a security risk because they expand the attack surface across all layers of the technology stack and is now considered organizations’ largest attack surface.  Fifty-seven percent of respondents say traditional security solutions are not effective in distinguishing legitimate from fraudulent activity at the API layer. The increasing number and complexity of APIs makes it difficult to track how many APIs exist, where they are located and what they are doing.  As a result, 56 percent of respondents say the volume of APIs makes it difficult to prevent attacks.

Challenges to securing the unmanageable API sprawl

Open and public APIs are most often used and/or provided by organizations. Thirty two percent of respondents say their organizations use/provide open APIs and 31 percent of respondents say their organization use/provide public APIs.

Organizations struggle to discover and inventory all their APIs. Fifty-three percent of respondents say their organizations have a solution to discover, inventory and track APIs. These respondents say on average their organizations have an inventory of 1,099 APIs.

Fifty-four percent of respondents say it is highly difficult to discover and inventory all APIs. The challenge is many APIs are being created and updated so organizations can quickly lose control of the numerous types of APIs used and provided.

An average of 127 third parties are connected to organizations’ APIs and only 33 percent of respondents say they are effective in reducing the risks caused by these third parties’ access to their APIs. Only 35 percent of respondents say they are effective in identifying and reducing risks posed by APIs outside (35 percent) and within (40 percent) their organizations. One reason is that most organizations do not know how much data is being transmitted through the APIs and need a solution that can detect and stop data exfiltration events happening through APIs.

To stop the growing API security crisis, organizations need visibility into the API ecosystem and ensure consistency in API design and functionality. However, only 35 percent of respondents have excellent visibility into the API ecosystem, only 44 percent of respondents are very confident in being able to detect attacks at the API layer and 44 percent of respondents say their organizations are achieving consistency in API design and functionality.

Because APIs expand the attack surface across all vectors it is possible to simply exploit an API and obtain access to sensitive data and not have to exploit the other solutions in the security stack. Before APIs, hackers would have to learn how to attack each they were trying to get through, learning different attacks for different technologies at each layer of the stack.

Inconsistency in API design and functionality increases the complexity of the API ecosystem. As part of API governance, organizations should define standards for how APIs should be designed, developed and displayed as well as establishing guidelines for how they should be used and maintained over time.

To download and read the rest of this report, visit Traceable’s website.

Leave a Reply

Your email address will not be published. Required fields are marked *