《Radware：2022年API安全現狀報告（英文版）（24頁）.pdf》由會員分享，可在線閱讀，更多相關《Radware：2022年API安全現狀報告（英文版）（24頁）.pdf（24頁珍藏版）》請在三個皮匠報告上搜索。

1、2022 State of API SecurityMay 2022 EMA Research ReportChristopher M.Steffen,CISSP,CISAManaging Research Director,Information Security,Risk and Compliance ManagementSponsored by:Table of Contents1 Introduction3 Key Findings5 Voices of the Survey Respondent Quotes7 Technology Trends10 Shining a Light

2、on the State of API Security15 EMA Perspective17 Research Methodologies and DemographicsIntroduction.2Introduction EMA Research Report|2022 State of API SecurityFor years,security vendors have discussed DevSecOps solutions and the ben-efits they bring to the mature enterprise,but forecasted attacks

3、on APIs and infrastructure as code(IaC)have put application security in the spotlight.Organizations of every size will invest in application security tools and tools that address every market of every size will have a decisive advantage toexploit this emerging trend.Modern applications,composed of f

4、unctions and services,require developers to rely on APIs to communicate between applications and their components to share data and drive functionality.These applications are mobile,distributed,and have instances in cloud and on-premises.The trend of remote working has created a need for agile,conne

5、cted applica-tions and deprioritized on-premises application access.This is driving network and application re-architecture,as well as adoption and transitions to cloud while increasing the use of open APIs in many vertical industries.For most organizations,gaining a consolidated view of their confi

6、guration and security parameters is challenging because many of these applications are deployed in a variety of platforms,change frequently,and may include open-source compo-nents.Also,due to constant and rapid changes,many of these applications are poorly documented,with API security often becoming

7、 an afterthought.This report examines the state of API security in the enterprise,from how enterprises are evaluating and using tools for API security to the approaches that organizations are taking to secure their applications and APIs.It will also shed light on the false sense of security that man

8、y organizations have regard-ing APIs,specifically how they are documented,how they are used,and how they are secured.In this exclusive research study conducted for Radware,Enterprise Management Associates polled 203 individuals in Europe,Asia,and North America,representing organizations of 1,000 emp

9、loyees or more from more than ten different industry verticals.Nearly all(96.6%)indicated that their organization is utilizing APIs for communications between their workloads and systems,and 92.6%stated that they have a plan in place to protect those APIs from being exploited.2Introduction Key Findi

10、ngs.4Key FindingsEMA Research Report|2022 State of API Securityare running most of their applications in the cloud59%92%62%74%65%70%44%believe that open-source code is more securehave seen recent increases in API use in their organizationsof organizations indicated that they have over 30%of their AP

11、Is undocumented believe that containers and microservices are more secure by defaultAlmostbelieve that they have visibility into the applications that are processing sensitive dataindicated that their APIs were already adequately protectedVoices of the Survey Respondent Quotes.6Voices of the Survey

12、Respondent Quotes EMA Research Report|2022 State of API SecuritySelect Open-Ended ResponsesWhy is securing your organizations API important to your business?We operate in an era in which more actions are being done online than ever before.Customers trust us with sensitive information,and we owe it t

13、o them to protect their data with the most stringent and latest security features.It allows for faster innovation of our services.It removes barriers to change,and we can create better services while standing apart from the competition.As a financial institution,we deal with very sensitive data and

14、customer information.Most of our due diligence has copies of personal ID and social security numbers.Therefore,most of the data is stored in an electronic format on cloud servers and its crucial API is well maintained.They enable our line of business users and information technology to use applicati

15、on and software to increase productivity and improve the bottom line of the organization.Therefore,APIs is extremely important in our business.For our company,API security is essential because it allows for more rapid innovation and API to make our monetization simpler.Our company will be able to se

16、ll more advertising space.A good example of this Uber,which took the finest features of all these program and linked them together through APIs.API security is important ensure safe connection of IT services and to transfer data,without any breaches.Technology Trends.8EMA Research Report|2022 State

17、of API SecurityTechnology Trends Analysis:When starting with a survey of this type,it is always important to ask some baseline ques-tions to get a sense of how the respondents view the topic.In this instance,96.6%of the respon-dents are using APIs in their organizations for connections between their

18、 workloads,and 89.2%have some level of responsibility for securing those APIs.Commentary:This question and data alone suggest the reason for the survey:APIs are critically important for nearly all organizations,and securing those APIs from attack or exploit is the responsibility of nearly 90%of thos

19、e surveyed.Does your organization use application programming interfaces(APIs)for connections between computers or computer programs?connections between computers or computer progra96.6%3.4%YesNoAre you responsible for API security within your organization?89.2%e you responsible for API security wit

20、hin your organiza89.2%10.8%YesNo.9EMA Research Report|2022 State of API SecurityTechnology Trends Analysis:API usage is up,and the organizations surveyed believe that they have a plan to address their pro-tection.Over 92%of those surveyed indicated that their API usage had increased significantly or

21、 somewhat,and the same number(92%)believe that they have a plan in place to adequately protect those APIs from attacks.Commentary:It is not surprising that API usage is increasing.The proliferation of applications in the cloud and on mobile devices nearly guarantees that result.Interestingly,those s

22、urveyed believe that they have the ability and visibility to protect those APIs from attacks,which is at odds with some of the other data from this survey and creates a false sense of security and protection of those applica-tions on critical workloads.Does your organization have a plan to protect A

23、PIs utilized by your applications?ganization have a plan to protect APIs utilized by your app92.6%4.4%3.0%YesNoUnknownHow has API use increased in your organization compared to previous years?r organization compared to previous ye40.4%51.7%4.4%3.4%Significantly increased over previous yearsSomewhat

24、increased over previous yearsMarginally increased over previous yearsNo increase over previous yearsShining a Light on the State of API Security.11EMA Research Report|2022 State of API SecurityShining a Light on the State of API Security Analysis:When considering the methods used to iden-tify and pr

25、otect APIs from attack,many of the standard solutions are referenced:XDR(29%),API gateways(29%),and web app firewalls(21%).Also interesting was the idea that these solutions were nearly 98%effective at protecting their APIs.Commentary:Maybe the most troubling response from these two questions was th

26、at the solutions in place did not identify attacks(7.4%).There was also the honest assessment that the tools deployed were not able to adequately identify API attacks(3%),but also call into question whether the existing tools are delivering a false impression that they are ade-quately identifying wh

27、en API attacks occur.It seems unlikely that the solutions referenced are 98%effective,especially when over 7%of those surveyed indicate that there were no attacks to identify.What is the PRIMARY method currently used by your organization to identify an attack on your APIs?n attack on your APIs?28.6%

28、28.6%21.2%7.9%7.4%3.0%Alerts from API gatewayAlerts from extended detection and response(XDR)Alerts from web application firewall(WAF)Analysis of log filesNo attacks identified currentlyUnable to identify API attacks adequatelyHow effective are your existing tools in protecting your APIs?are your ex

29、isting tools in protecting your AP49.8%47.8%2.0%0.0%Very effectiveSomewhat effectiveMinimally effectiveNot effective.12EMA Research Report|2022 State of API SecurityShining a Light on the State of API Security Analysis:Further contributing to the false narrative is the concept that open-source code

30、and microservices are inherently more secure.In this survey,65%of respondents believe that open-source code was more secure and nearly 74%believe that contain-ers and microservices are more secure by default.Commentary:In general,the security industry tries to scare cus-tomers and prospects into thi

31、nking that the sky is falling,while other technologies will tell you everything is just fine.That must be the case here,since open-source code is not the magic bullet to development security.It consistently has the same security concerns and flaws that proprietary code has and is usually patched muc

32、h in the same way.Same with containers and microservices:they are vulnerable to many of the same exploits that cloud instances and traditional servers are subject to.Believing that these technologies are inherently more secure contributes to the false narrative that puts application security and org

33、anizations at risk to cyber-attack.Please rate the following statement:Open-source code is more secure since the community constantly improves and patches it.y improves and patches it.65.1%19.2%15.7%AgreeNeither Agree nor DisagreeDisagreePlease rate the following statement:Containers and microservic

34、es are more secure by default.73.9%roservices are more secure by defa73.918.2%7.9%AgreeNeither Agree nor DisagreeDisagree.13EMA Research Report|2022 State of API SecurityShining a Light on the State of API Security Analysis:Arguably,you cant protect the things you dont know you have.In this survey,o

35、nly 38%indicated that they had documented at least 70%of their APIs.In other words,62%of organizations sur-veyed have 70%or less of their APIs documented.In response,those surveyed realized that a good solution for API protection needs to discover and secure undocumented APIs,as well as reduce the s

36、ecurity skill necessary to protect APIs wherever they might be in their various environments.Commentary:Again,the data is very consistent:organizations are aware of the process shortcomings in their dev and operations cycles regarding documentation of application APIs and are looking for solutions t

37、o address those shortcomings.They are obviously looking for tools that integrate with existing solu-tions and ones that can enforce security policies,as they should.Still,finding ways to detect and secure APIs that are documented and APIs that are undocumented is a key feature that organizations are

38、 looking for when selecting their API security tools.It is also critical to find solutions and tools that allow organizations to easily protect their APIs regardless of their location.Any tool that requires an entire security team to administer is not going to be a viable tool to protect APIs in mos

39、t organi-zations,as they lack the skills and manpower to dedicate to API protection they are depending on the tool and vendor to aid them with this process.In your organization,what percentage of APIs are documented?APIs are document21.2%41.3%38.2%2.0%0-40%41-70%71-100%UnknownWhat do you perceive to

40、 be a good solution to protect APIs?a good solution to protect APIs?36.9%33.0%33.0%29.6%27.1%16.7%Integration with other security/visibility toolsDiscover both documented andundocumented APIs to be securedEnforce security measures to stopattacks on API and alert on breach attemptsIdentify and secure

41、 undocumented APIsEasy to use/implement/manage solutionReduce security expertise requiredto protect APIs across platforms.14EMA Research Report|2022 State of API SecurityShining a Light on the State of API Security Analysis:The ability to address automated or bot attacks is one of the concerns that

42、was top of mind for respondents on the survey.Nearly thirty-two percent indicated that bot attacks is the most common threat they are seeing against their APIs.While not the most mentioned threat,it is much greater than it may seem due to the data breach indicators of the threats that were more freq

43、uently mentioned.Commentary:Bot mitigation arguably solves one of the most significant threats to an organizations APIs.Yes,companies need solutions for WAAP,WAF,and API gateways,but often,bot mitigation is overlooked as a critical component.Most com-prehensive application protection solutions have

44、remedial bot mitigation protection as part of their overall protection suite of tools,but bot protection/automated attack protection should be a priority when evaluating tools/solutions to protect APIs.What are the most common threats youve seen on your APIs?youve seen on your APIs?31.5%36.0%38.4%43

45、.8%Automated bot attacks-scraping,misuseBusiness logic attacks to detect application vulnerabilityData breach due to lack of encryption between connectionsData breach due to compromised endpoints/certificatesWhat tools does your organization use to protect APIs?n use to protect AP18.2%37.9%38.9%46.3

46、%52.2%55.2%Bot managementRuntime application self-protection(RASP)Vulnerability scanners(static,dynamic,interactive)in productionAPI gatewayWeb application firewall(WAF)Web application and API protection(WAAP)EMA Perspective.16EMA Perspective EMA Research Report|2022 State of API SecurityMore than m

47、ost of the verticals in the technology space,the security industry(more specifically,the marketing and media around the security industry)is all about the latest trends.Be it Zero Trust,the latest ransomware attacks,or what-ever data breach is the latest in the 9:00 oclock news,executive leadership

48、of organizations of every size react to these trends,forcing the vendors in the space to react as well.API security is one of these trends,but one that has received very little attention to date and has led many organizations to embrace a false narrative that their APIs are secure(if it isnt being r

49、eported on CNN,it must be secure,right?).Put simply,there is a false sense of security and over confidence when it comes to API protection,stemming from a multitude of sources:the belief that open-source environments are more secure,that auto-discovery tools and solutions have identified and protect

50、ed undocumented applications and APIs,to the idea that existing tools are adequately protecting APIs against auto-mated and bot threats.In reality,there are many challenges in securing APIs in their environments,including:Protecting the unknown.While this survey discovered that a fair portion of API

51、s are known and documented,there is a real(and underestimated)threat that comes from a large percentage of undocumented APIs.This is coupled with the fact that only some people believe that automatic API dis-covery and protection are necessities,and a smaller portion is actually using a solution wit

52、h such autodiscovery capabilities.This is part of the false nar-rative that can lead to disaster for many organizations:the belief that they are adequately protected,but actually have significant gaps in their protec-tion from APIs that are unknown and undocumented.Overconfidence.Throughout the surv

53、ey,there were plenty of instances in which respondents thought they had adequate protection for the environ-ment with their existing tools and solutions,only to find that they did not have solutions that address a majority of the most common threats.For example,there is a false belief in the adequac

54、y of API gateways and traditional WAFs providing adequate protection of APIs against both vulnerability and automated bot exploits,but that is simply not the case.A comprehensive API protection solution will address these threats,but very few respondents indicated that they had solutions that actual

55、ly did,or even had the capability to do so.Overcoming the skills/talent gap.A reoccurring theme in the security space is the lack of security talent.Even the most experienced security administra-tor may not have the development skills necessary to architect and deploy a best-in-class security strate

56、gy for protecting APIs and application workloads.Protecting APIs is not a simple task it requires in-depth understanding of a multitude of environments and platforms.Often,the only recourse for protect-ing these environments is to partner with a trusted vendor with experience in the processes and so

57、lutions needed to protect the APIs in these environments.There is unequivocally a false sense of over confidence when it comes to API pro-tection,but there are solutions that exist to secure these resources.From our perspective,an API security solution will have most of the following capabilities:Th

58、e ability to integrate well with existing security and visibility tools in the environment Reduces security and deployment expertise and resources(manpower)required to protect APIs across platforms Leverages advanced machine-learning algorithms to detect emerging threats and automatically creates an

59、d optimizes API security policies Enables accurate and automated API discovery,protection and security policy generation without requiring application or security expertise Provides comprehensive API protection of all parts of the API and across a broad range of API threats such as:access violations

60、 data leakage denial of service automated threats(bots)embedded attacks Protects API against automated,bot-based threats Supports both positive and negative security models while enabling contin-uous and automatic security policy optimization and adjustments to correct and eliminate false positive e

61、ventsAPI security is not a“trend”that is going away.APIs are a fundamental component to most of the current technologies,and securing them must be a priority for every organization.Dispelling the myths and false beliefs while debunking the over con-fidence that most organizations have around API sec

62、urity is a great place to start,and working with a vendor that debunks some of these false beliefs is critical.Research Methodologies and Demographics.18Research Methodologies and Demographics EMA Research Report|2022 State of API SecurityYou indicated that your department is IT-related.Which of the

63、 following BEST describes your specific role?31.4%18.9%13.5%8.6%5.4%4.9%2.7%1.6%1.6%1.6%1.6%1.6%1.1%1.1%0.5%0.5%0.5%0.5%0.5%0.5%0.5%0.5%CIO/CTOIT DirectorVP ITIT Manager/Supervisor(or equivalent)IT Project/Program ManagerCISO/CSOInformation Security DirectorChief Data OfficerVP Information SecurityI

64、T Service Manager/ITSM Team LeaderDatabase AdministratorProgrammer/Developer/EngineerDirector of NetworksIT Consultant/IntegratorChief Privacy OfficerDirector of Development/EngineeringIT Administrator/System AdministratorNetwork Administrator/EngineerIT ArchitectIT Business AnalystHelp Desk/IT Supp

65、ortIT Generalist(other)Sample Size=203.19Research Methodologies and Demographics EMA Research Report|2022 State of API SecurityIn total,how many employees are currently working in your organization?30.0%23.6%16.3%9.9%6.9%3.4%3.9%5.9%1,000-2,4992,500-4,9995,000-7,4997,500-9,99910,000-19,99920,000-49,

66、99950,000-99,999100,000-499,999In which region is your organizations headquarters located?36.0%32.5%31.5%North AmericaEurope-Middle East-Africa(EMEA)Asia-Pacific(APAC).20Research Methodologies and Demographics EMA Research Report|2022 State of API SecurityWhich of the following best describes your o

67、rganizations primary industry?20.2%17.7%14.8%12.8%5.4%4.4%3.9%3.0%2.5%2.0%1.5%1.5%1.5%1.5%1.5%1.0%1.0%1.0%1.0%0.5%0.5%0.5%0.5%ManufacturingFinance/Financial Services/BankingRetail/Wholesale/DistributionHealthcare/Medical/PharmaceuticalComputer/Technology Software(mobile app,consumer,custom,web-based

68、)InsuranceComputer/Technology Services(IaaS,SaaS,MSP,MSSP,cloud provider)Computer/Technology Hardware(devices,chip,computer/networking hardware)Travel/Hospitality/RecreationTransportation/Airlines/Trucking/RailComputer/Technology:OtherEcommerceGaming/Digital EntertainmentGovernment(federal,state&loc

69、al)Professional Services(non-technical)AutomotiveTelecommunicationsUtilities/EnergyOtherAerospace/DefenseBusiness Services/ConsultingEducation(federal,state&local)Oil/Gas/ChemicalsEMA Research Report|2022 State of API SecurityAbout Enterprise Management Associates,Inc.Founded in 1996,Enterprise Mana

70、gement Associates(EMA)is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies.EMA analysts leverage a unique combination of practical experience,insight into industry best practices,and in-depth knowledge of current and planned ve

71、ndor solutions to help EMAs clients achieve their goals.Learn more about EMA research,analysis,and consulting services for enterprise line of business users,IT professionals,and IT vendors at .You can also follow EMA on Twitter or LinkedIn.This report,in whole or in part,may not be duplicated,reprod

72、uced,stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates,Inc.All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice.Product names mentioned herein may be trademarks and/or regi

73、stered trademarks of their respective companies.“EMA”and“Enterprise Management Associates”are trademarks of Enterprise Management Associates,Inc.in the United States and other countries.2022 Enterprise Management Associates,Inc.All Rights Reserved.EMA,ENTERPRISE MANAGEMENT ASSOCIATES,and the mobius symbol are registered trademarks or common law trademarks of Enterprise Management Associates,Inc.1995 North 57th Court,Suite 120,Boulder,CO 80301 +1 303.543.9500 4178.061322