SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

F5 report reveals critical gaps in API security practices

Tue, 8th Oct 2024

F5's recent report highlights significant deficiencies in API security, posing potential risks to enterprise security and operations.

The 2024 State of Application Strategy Report: API Security, released by F5, unveils substantial gaps in current API security practices. The findings suggest that many APIs, integral to modern digital infrastructure, remain vulnerable to threats, particularly as they become more intertwined with AI services.

Almost a third of customer-facing APIs are noted to be unprotected, with less than 70% employing HTTPS for security. This is in marked contrast with web pages, 90% of which are accessed using HTTPS due to extensive efforts to improve web communication security over the last decade.

Lori MacVittie, Distinguished Engineer at F5, said, "APIs are becoming the backbone of digital transformation efforts, connecting critical services and applications across organisations. However, as our report indicates, many organisations are not keeping pace with the security requirements needed to protect these valuable assets, especially in the context of emerging AI-driven threats."

The report's findings reveal that the average organisation manages 421 different APIs, predominantly hosted in public cloud environments. Despite their rapid expansion and importance, a significant number still lack adequate protection.

As APIs increasingly integrate with AI services, the report stresses the need to evolve security models to address both inbound and outbound API traffic. Currently, security practices are primarily focused on inbound traffic, potentially leaving outbound calls unguarded.

The report also highlights the fragmented nature of API security responsibilities within organisations. It shows that 53% of organisations manage API security through application security, while 31% use API management and integration platforms. This division often leads to gaps and inconsistencies in security protocols.

There is a notable demand for programmable security solutions, as respondents identified programmability as the most valuable feature for API security. This need suggests organisations are looking for capabilities that allow real-time inspection and response to potential threats.

To address these issues, the report recommends adopting comprehensive security solutions that cover the entire API lifecycle, which includes design, deployment, and operation. By integrating security into every stage of an API's lifecycle, organisations can enhance the protection of their digital assets.

MacVittie added, "APIs are integral to the AI era, but they must be secured to ensure that AI and digital services can operate safely and effectively. This report is a call to action for organisations to re-evaluate their API security strategies and take the necessary steps to protect their data and services."

F5's report highlights the urgent need for organisations to enhance their API security practices as APIs become increasingly integral to digital infrastructure and AI services. The identified vulnerabilities pose risks to enterprise security and operations. By implementing comprehensive security measures throughout the API lifecycle, businesses can better protect their assets and strengthen their digital transformation efforts. The findings serve as a critical reminder for organisations to prioritise API security in the face of evolving threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X