What are the Issues Facing CISOs Trying to Secure Their APIs?

In 2023, it has never been more critical for CISOs to secure API ecosystems.

There are many advantages to APIs. The main benefit is the interconnectivity of separate services and the exchange of critical data with employees, partners, and customers.

But the modern company has thousands of APIs. They’re changing very quickly too. APIs are a veritable goldmine for hackers because of the sensitive data they’re connected to. And API security breaches are on the rise.

Securiti says API mistakes cause the biggest data breaches. Here are the top issues CISOs face in establishing a secure API structure.

API Security Program / Strategy

Wallarm says 48.8% of CISOs consider their API security program their top concern.

CISOs are tasked with figuring out what a comprehensive API security program looks like. There are many nuances and factors to consider with APIs. For example, when an API is updated, it may create new security issues it previously did not have.

Security strategies, therefore, can’t be static. They must also update or at least account for how changes in the API ecosystem could affect overall security.

The security program of the past may have been antivirus software, a firewall, and secure passwords. This is a good starting point. But today, there is so much more to be mindful of.

But a secure API plan must be created. Security and IT teams depend on the CISO for guidance and direction. And CISOs are confronted by this reality.

Risk Assessment

Hand in hand with API security programs. SALT’s A CISO’s Essential Guide to API Security says risk assessment has never been more complicated.

The pace of development is only getting faster. That means risks must also be assessed faster. This makes priority management critical. Risks and vulnerabilities must be understood and addressed logically. 

Plus, API security investments need to be made wisely.  

Change Management for New APIs

The subset of API security strategy raises the concern of change management.

Process Tempo says:

“New APIs are deployed quickly without proper documentation, governance, and change control.”

Each new API deployment requires new infrastructure. And this requires a clear understanding of the integration, possible threats and vulnerabilities, and what steps must be taken under what circumstances.

API Threat Detection

Through many conversations with CISOs, Process Tempo identified detecting API threats as one of six top concerns.

Many organizations aren’t aware of how many APIs they have. “Shadow APIs,” as it were, make it impossible to know all possible security risks.

CISOs must find a process for detecting and identifying all possible threats to API. Not just in real-time. But also in advance so that something can be done about it.

Attack Surface

34.1% of CISOs are most concerned with attack surface, according to Wallarm.

The growth of APIs is nothing short of explosive. Nordic API says over 90% of developers use APIs. While 69% use third-party APIs, 20% use internal or private APIs. 

MarketsandMarkets says the API management market size is expected to grow from $4.5 billion in 2022 to $13.7 billion in 2027.

Increased API adoption can only mean one thing—a growing attack surface. More APIs mean more risks and vulnerabilities to identify. And many of them can’t necessarily be identified upfront. Developers must move fast, so they often cannot address all concerns upfront.

Nevertheless, all attack vectors must be identified for complete security. This only gets more complex with additional integrations. Legacy APIs (that aren’t updated) can be problematic too.

Protection Perimeter

One of the key concerns to secure API, says Process Tempo, is that protection is rarely a one-and-done operation. In their own words:

“There is rarely a single ‘gateway’ to enforce protection.”

Many security structures may need to be created for different integrations and applications.

Process Tempo says API traffic consists of both internal and external usage. Application API protection is required for both.

Manual Security Configurations

Process Tempo indicates manual security configurations must be made for every new API. Secure API is a time-consuming task in an ecosystem with thousands of APIs.

IT & Cybersecurity Talent

12.2% of CISOs had engineers and staff experts as their top concern, per Wallarm.

CISOs believe that good IT and security talent help them improve API security. Experts can help find risks and vulnerabilities. They can suggest partners and vendors. They can recommend specific tools. They can even support CISOs at the strategic level.

In April 2022, Forbes senior contributor Edward Segal warned of security staff shortages. He quoted the Philadelphia Inquirer, which said there were almost 600,000 unfilled cybersecurity positions despite the U.S. cybersecurity workforce being one million strong.

No wonder CISOs are so concerned about the availability of cybersecurity talent to prevent API security breaches.

Siloed DevOps & Security Teams

According to Process Tempo, as a subset of engineers and staff experts, CISOs voiced their concern for the sometimes-fractured relationship between DevOps and their security team.

They add that 30% of APIs were deployed without input from IT security. This means security concerns often aren’t addressed in advance.

Reliable Products & Vendors

Wallarm said 4.9% of CISOs believed trusted products and vendors were a top concern.

CISOs must be aware of all available solutions. But their job doesn’t end there. They must find the right products and vendors for their situation. There are many newcomers to the market. And that can make it hard to know who to trust.

Then comes the technical issue of identifying specific needs. Which solution best matches the API security challenges a CISO wants to address? These concerns can be discussed in the consultation. But of course, this requires additional time.

Conclusion: CISO Priorities 2023

What are your greatest concerns as you look to secure your integrations? How do you plan to secure your APIs? The journey begins with accepting that API security is an urgent need. Then, identify the right strategy and partners. API security is possible with the right API protection solution like AppTrana.