The state of API security in 2023

Understanding the landscape of interactions, behaviors, and potential threat vectors is the next frontier of API security. However, four in 10 companies still can’t discover all of the APIs they’re using.

9 visibilty fog search
Robert Couse-Baker (CC BY 2.0)

In today’s rapidly transforming digital world, APIs have become the linchpin for quick delivery of business functionality. These digital connectors underpin much of the enterprise innovation we witness today, from seamless customer experiences to integrated partner ecosystems. Yet, as the CTO of Traceable, I can’t help but observe a growing (and glaring) pattern: As API usage surges, the potential risks grow exponentially. Let’s turn to hard data to illuminate the current state of API security.

Measuring the API boom

An in-depth look at Traceable’s Global State of API Security reveals a profound truth: APIs are undeniably vital to global digital transformation. In our analysis, a significant 57% of organizations rate the importance of APIs at 7 or higher on a 1-to-10 scale, with a combined 29% bestowing the utmost importance levels of 9 or 10. This isn’t a mere trend but a foundational shift in business technology strategy.

Yet, a troubling counter-narrative emerges. While a vast majority, 88% to be exact, use more than 2,500 cloud applications—underscoring the extensive API web—only 59% claim they can discover all APIs in use. When you consider the integral role APIs play, these numbers spell out a significant disconnect. Imagine constructing a network of pipelines in a city but then losing track of them. In the digital realm, undetected and unprotected APIs are the hidden pathways for cyberattacks. 

The subtleties of API security

While the importance of APIs in our digital ecosystem cannot be overstated, the intricacies of their security remain an area where most organizations falter. Delving deeper into the data gives us a clearer perspective on these nuances and the existing gaps in most security strategies.

It’s indeed good news that 51% of organizations implement rapid scans to identify and eliminate vulnerable APIs from production environments. This proactive approach showcases an understanding of the immediate threats. However, the real battlefield is vast and far more complex. Our data suggests that the challenges don’t just lie in immediate threat detection but in the layers of interconnected activities, behaviors, and flows that APIs generate.

A mere 59% of organizations have solutions that enable them to discover all APIs in use. This essentially means that a considerable percentage of enterprise APIs remain off the radar and therefore outside the API governance framework. An undiscovered API is an unmonitored one, and an unmonitored API is a potential gateway for cyber threats. The implications are vast, ranging from unauthorized data access to operational disruptions and more. Any vulnerability, whether they are existing or zero days, are just waiting to be exploited by attackers using sophisticated mechanisms to look for these on critical applications.

For API security, context is key

Furthermore, general mastery in API security comes from understanding the intricate interplays. Only 38% of organizations have solutions that enable them to understand the context between API activities, user behaviors, data streams, and code execution. In hyper-connected digital ecosystems, understanding this data is crucial. An anomaly in user behavior or a suspicious data flow might be early indicators of a breach attempt or a vulnerability exploitation.

Moreover, the capability to tailor security responses based on dynamic threat parameters is indispensable. While generalized security protocols can thwart common threats, customized defenses based on threat actors, compromised tokens, IP abuse velocity, geolocations, IP ASNs, and specific attack patterns can be the difference between a repelled threat and a security breach. Yet most organizations do not have this capability.

Lastly, companies continue to overlook the need to monitor and understand the communication patterns between API endpoints and application services. An API might be functioning as intended, but if its communication pattern is anomalous or its interactions with other services are unexpected, it could be an indicator of underlying vulnerabilities or misconfigurations.

A majority of companies have taken the foundational steps towards API security. However, the breaches continue. Of the organizations breached recently, 74% experienced at least three API-related breaches in the past two years. There’s a clear need to delve into the underpinnings of what actually protects APIs.

Discovering all of your APIs and scanning them for vulnerabilities is just the first step. Understanding the landscape of interactions, behaviors, and potential threat vectors is where the next frontier of API security lies.

Navigating the future of API security

Considering the centrality of APIs in our digital future, organizations face a two-fold challenge. First, they need to fully recognize the scope of their own digital ecosystem, understanding every API’s role and potential vulnerabilities. The silent threats—like shadow APIs and zombie APIs—need to be identified and addressed. Every hidden door can become a point of entry for exploitation.

Secondly, the paradigm of API security demands a comprehensive overhaul, especially in addressing the rising challenge of API abuse. API abuse, where threat actors manipulate API functionality to achieve malicious objectives, has become a grave concern. Simple measures like merely discovering APIs or performing routine vulnerability tests aren’t enough. We must adopt a proactive, forward-looking stance that specifically counters such misuse. Security measures should be woven into every phase of the API lifecycle—from development to deployment, and on to vigilant, continuous monitoring.

In essence, while APIs have become the linchpins of our digital transformation endeavors, our current security infrastructure may not be fully prepared for the wave of challenges they bring. The new data paints a vivid picture. APIs are both our strength and our potential weakness. As we steer into an API-fueled future, it will be crucial to balance the transformative power of APIs with an equally evolved approach to API security. 

Sanjay Nagaraj is chief technology officer at Traceable.

New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to

Copyright © 2023 IDG Communications, Inc.