Google：2022年API安全性研究報告（13頁）.pdf

《Google：2022年API安全性研究報告（13頁）.pdf》由會員分享，可在線閱讀，更多相關《Google：2022年API安全性研究報告（13頁）.pdf（13頁珍藏版）》請在三個皮匠報告上搜索。

1、API Security:LatestInsights&Key Trends2022 Research ReportHow API security is impacting the pace of innovation at enterprises andwhat IT leaders are doing to mitigate risksTable of ContentsExecutive Summary3Threats abound4Affecting the pace of innovation5Active API security posture is necessary6Curr

2、ent Assessment7Confident in the face of threats7Is this confidence misplaced?8Companies prioritize being proactive with API security8Opportunities9Consolidation,end-to-end monitoring,oversight needed9More training and certification in this space is needed9Most agree their strategy needs improvement1

3、0API security strategy not always a top priority11The impact of API management and API gateway solutions11API security is a key elementof a larger API strategy12 2022 Google LLC.All rights reserved2Executive SummaryWith the increasing adoption of digital experiences,the use of Application Programmin

4、g Interfaces,orAPIs is on the rise.As such,APIs represent a significant area of vulnerability for organizations worldwide.The following report examines the landscape of API security threats and their impact on the pace ofinnovation.It delves into the worldview of the technology leaders as it pertain

5、s to API security postureand strategy,and offers a perspective on opportunities to improve API security health.This report is based on research conducted by Google Cloud between May and June 2022 amongtechnology leaders from companies in the United States with at least 1,500 employees who have asign

6、ificant influence or decision-making authority on purchases of technology solutions related to APIinitiatives within their organization.“Why API Security Is a Key Element of a Larger API Strategy”explains that API security posture is agrowing concern for IT executives due to the prevalence of threat

7、s,but that most organizations need toimprove their API security strategy.There is a need for proactive security capabilities and measures aswell as end-to-end API security solutions such as Apigee,a full life cycle API management platform.2022 Google LLC.All rights reserved3The Threat LandscapeThrea

8、ts aboundCompanies worldwide rely on Application ProgrammingInterfaces,or APIs,to facilitate digital experiences and unleashthe potential energy of their own data and processes.APIs are acritical link in blending proprietary data with assets from thirdparties.They also serve a critical role in the r

9、ace to modernizeapplications,fueling interoperability and,in turn,efficientfunctionality.But the proliferation and importance of APIs comes with a risk.As a gateway to a wealth of information and systems APIs havebecome a favorite target for hackers.Our research confirms the widespread impact of the

10、se threats.We surveyed over 500 technology leaders in the United States.Half of them report experiencing an API security incident in thepast 12 months.That percentage is higher or lower dependingon who you ask.62%of C-Suite executives surveyed indicatedthat theyve had a security incident in the past

11、 12 months whileonly 37%of those who are a couple levels removed from theC-Suite said the same.This could point toward the limited purview of functional ITteams,or it could be an indication of how salient the issue is forthose with greater responsibility.Or both.API Security Incidents 2022 Google LL

12、C.All rights reserved4To compound the issue,threats surface from a myriad of API security areas with ITleaders each identifying more than three areas on average.While no single area standsout as a glaring vulnerability,the three most common sources of potential threats aresecurity misconfigurations,

13、outdated APIs/data/components,and bots/spam/abuse.Misconfigurations,as a category,are the most identified threat area with 2 of 5 IT leadersselecting either security misconfiguration or misconfigured APIs.Sources of API Security ThreatsAffecting the pace of innovationThese threats and incidents have

14、 real-world implications.API security is slowing the paceof innovation for many organizations.More than half(53%)of organizations have delayedthe rollout of a new service or application due to API security concerns.For those whohave experienced an incident in the past 12 months,more than three quart

15、ers(77%)havedelayed the rollout of a new service or application.Delayed the Rollout of a New Service or Application Due to API Security Concerns 2022 Google LLC.All rights reserved5Active API security posture is necessaryWith security vulnerabilities being introduced from a variety ofsources through

16、out development,it will come as no surprise thatsecurity issues are identified at every phase of the API lifecyclefrom design to testing to deployment and beyond.Naturally,security issues are most commonly discovered during testingperformed as part of the release management process(67%),but a substa

17、ntial number of vulnerabilities are identified as partof the process to deploy to production(64%).This indicated anarea of risk for vulnerabilities to be deployed to production as aconsiderable percent of possible security issues are identified inthe later stages of API lifecycle.Notably,issues and

18、vulnerabilities are identified with real-timemonitoring in production by three out of five(62%)IT leaders,emphasizing that the need for an active security posture is anecessity in this environment.Stage of the API lifecycle where API security issues and vulnerabilities are identified 2022 Google LLC

19、.All rights reserved6Current AssessmentConfident in the face of threatsDespite the precarious API threat landscape,most organizationsbelieve they have the tools and solutions to ensure end-to-endAPI security.In fact,more that three quarters(77%)ofrespondents said they have the required tools and sol

20、utions andanother 16%said they partially have what they need toimplement end-to-end API security,there were very few who saidthey dont have the tools they need.Whats more interesting,most technology leaders(66%)wouldrate their security posture as Advanced.Specifically,they believethat they have a co

21、mprehensive and centralized API securitycenter of excellence,and their security tools and solutions arenot disjointed in any way.Certain groups are more confident of their security posture thanothers.The following rate their API Security as Advanced:Cloud Native(71%)Hybrid Cloud environment(71%)C-Su

22、ite IT executives(71%)Had an Incident in Past 12 Months(71%)Advanced API security Posture 2022 Google LLC.All rights reserved7Is this confidence misplaced?It would appear that there is a gap between the existence of security incidents andconfidence that the tools are doing thejob.Could it be that or

23、ganizations are ignoring theprevalence of security incidents(50%had an incident in the last year)as well as theimpact API security is having on innovation(53%have delayed a rollout in the past year)?Or is it simply that security incidents are accepted as a cost of doing business in thedigital space?

24、The reality is likely somewhere in the middle.Some may be underestimating threats andthe extent to which they impact their organization,while also being realistic that APIsecurity is constantly evolving,and threats are a part of life.Companies prioritize being proactive with API securityTo stay ahea

25、d of security threats,many organizations look for solutions that allow themto be proactive while minimizing the burden on their security teams.According to ourresearch,capabilities that proactively identify security threats(60%)and improveautomation(57%)are at the top of most IT leaders wish lists f

26、or the next year.However,most are not ready or willing to prioritize taking the leap toward incorporating ArtificialIntelligence and Machine Learning into their API security yet.Technologies priorities for API security 2022 Google LLC.All rights reserved8OpportunitiesConsolidation,end-to-end monitor

27、ing,oversight neededSo,what are IT leaders looking for in an API security solution given a relentless threatlandscape and a litany of vulnerabilities to account for across every stage of the APIlifecycle?Aside from factors that are near table stakes,like easy integration with existing tools andsuppo

28、rt for the latest technologies,consolidation and end-to-end solutions are some ofthe most important factors to look for when evaluating API security solutions.This isespecially true for those reporting to the C-Suite(C-1).While the C-Suite themselves aremore focused on easy integration with existing

29、 API tools,the level below them is alsolooking for a solution that will cover a lot of ground.When evaluating API security solutions,the C-Suite tends to value 3rd partyrecommendations more than C-1 while C-1 values solutions that are built for cloud-nativesecurity with the latest technologies.Moreo

30、ver,a considerably higher percentage of C-1prefer consolidated API security solutions over point solutions.Factors used to Evaluate API Security Solutions(Top-5)More training and certification in this space is neededAside from technological solutions,many look to training and procedural improvements

31、as a means of combating threats.Top priorities for API security include establishing anAPI security learning and certification standard(38%),improving their documentation toincorporate security best practices(38%),and modifying existing processes to catch APIsecurity and vulnerability issues(37%).Bu

32、t IT leaders tend to take a“yes,please”approach to improving their API security with no single initiative standing out aboveothers.2022 Google LLC.All rights reserved9Most agree their strategy needs improvementAccording to our research,most organizations dont have a complete API securitystrategy in

33、place.A majority(60%)would say that their strategy needs improvement atthe very least.State of API Security StrategyLike other security areas,theres a slight disconnect between the perceptions of ITleaders in the C-Suite and those reporting to them(C-1).In this case,53%of C-Suitewould say their API

34、security strategy needs improvement.That number increases to 61%for those reporting to the C-Suite(C-1),and 69%among those two levels removed(C-2).API Security Strategy Needs Improvement 2022 Google LLC.All rights reserved10API security strategy not always a toppriorityWhile many organizations simpl

35、y lack the resources andknow-how to enact a comprehensive strategy,IT leaders in thoseorganizations often feel as though API security isnt prioritized.This can lead to some animosity within the ranks of the securityteam.Even those with a plan are likely to have API security solutionslittered across

36、their organization with responsibilities oftendivided among teams.In fact,API security responsibilitiesfrequently vary from company to company depending on needs,industry,and company structure.The impact of API management and APIgateway solutionsMore than three quarters(78%)of organizations say they

37、 havean organization-wide API management/API Gateway solutionimplemented.Those organizations are less likely to feel that their securitystrategy needs improvement(52%),they are more likely to have acomprehensive and centralized API security center of excellence(74%),and more likely to believe they h

38、ave the required tools andsolutions implemented to ensure end-to-end API security(91%).Companies with organization-wide API management(APIM)solution implemented 2022 Google LLC.All rights reserved11API security is a key elementof a larger API strategyAttacks on APIs are common,but incidents dont hav

39、e to be.End-to-end solutions enable organizations to identify and sure-up vulnerable API securityareas such as misconfigurations as well as outdated APIs,data,and components.Andwhile point solutions can deliver a fractured solution,its clear that,given the breadth ofattacks across the API lifecycle

40、and the variety of vulnerabilities,a comprehensivesolution offers the best chance of avoiding delays and stymied innovation.Long term APIsecurity needs to be prioritized as part of a larger API management plan and whenpossible,an organization-wide API strategy.2022 Google LLC.All rights reserved12Ab

41、out Apigee API Management PlatformGoogle Clouds Apigee API management platform delivers full lifecycle API management to helpbusinesses unlock the value of data and securely deliver modern applications and digitalexperiences.Apigee offers a rich set of capabilities to enable enterprises to gain control overand visibility into API traffic,including the ability to automate troubleshooting and problemresolution and to derive insights from API usage.Ready to learn more?Visit with us directly at .2022 Google LLC.All rights reserved13