Three Simple Steps to Improve API Security in 2024

Summary

First the good news: Application programming interface (API) security incidents decreased more than 7% in the manufacturing sector last year, according to a recent study from Noname Security.
 
Now, the bad: Cybersecurity remains a major concern for every business across all industries. According to the report, 78% of all organizations surveyed reported API incidents in 2023—a 3% increase from the year before—including 73% of manufacturing companies.
 
Financial services firms, retail and e-commerce companies and healthcare organizations—proved to be especially vulnerable last year, probably because they collect a lot of personally identifiable information (PII) from customers. This marks a big change from 2022, when manufacturing businesses reported the highest number of incidents.
 
Despite these shifts, no business is safe from cybercriminals’ activity. Over the past few years, even companies with robust cybersecurity programs, including X (formerly Twitter) and Dropbox have all fallen victim to major API breaches.
 
The consequences can be severe. About half of manufacturers surveyed by Noname Security blamed customer churn on API security incidents; another major issue was the fees associated with developing and implementing solutions.
 
Security professionals and IT decision-makers must take decisive steps now to keep their data safe.

Why API security remains an important ongoing challenge

APIs allow software components to interact with each other, whether it's within the same application, on the same device, or over a shared network. And while they’re useful tools for developers, they can also act as both a gateway and a getaway car for hackers to steal private information, including critical business data.
 
Making matters even more complicated, APIs are also difficult to safeguard because they’re so pervasive. Currently, APIs account for 80% of total internet traffic, according to Noname Security. That’s because companies have an average of 15,564 APIs in use at any given time—and that number jumps to more than 25,000 APIs for large enterprises with more than 10,000 employees, according to a recent report from 451 Research.

How to improve your API security

Instituting a few new API security policies and procedures can help ensure your data is secure. Here are three steps to take immediately to keep would-be hackers at bay:

1. Make sure your APIs are secure from the start and test continuously.
More than 85% of API defects, including security issues, are created in development, usually during the initial coding phase. As a result, testing in real-time is critical, as it costs significantly less to stop a vulnerability or remediate a problem before it's deployed. However, last year, only 12% of manufacturing businesses were doing this, according to Noname Security’s 2023 report. Businesses are keeping it in mind, though; 38% of leaders surveyed said they tested at least once per day and 40% reported testing up to once a week.

Fortunately, it’s relatively easy for these numbers to improve, as modern tools have emerged that make testing APIs fast, efficient and scalable without putting more stress on developers.

2. Gain visibility into your API footprint.
In 2023, 72% of U.S. businesses surveyed had a full inventory of APIs, but only 40% had visibility into which ones return sensitive data. In addition, 26% said they had a partial list, but of those, only 24% know which ones to prioritize, according to Noname Security’s report. This has to change. Without that data, it’s impossible to accurately assess risk and exposure levels.
 
The most effective way to gain added visibility is by leveraging tools that create a working catalog of a business’ APIs. From there, companies can determine which APIs to focus on. Knowing where sensitive data is traversing APIs has the added benefit of helping organizations stay compliant with regulations like Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA). In 2023, more than 80% of survey respondents in the manufacturing sector said that APIs helped them do just that.

3. Designate an API champion.
Assigning a designated API champion empowers organizations to be more strategic and proactive in their approach to security. This person or team can help business leaders assess their current security posture, identify potential vulnerabilities and create an in-case-of-emergency strategy in the event of an incident. Additionally, they can educate other teams within the organization on best practices so that API security is baked into every stage of the application development process.

It’s clear that some of this has already occurred. In 2022, Noname Security’s research found dormant and zombie APIs were the cause of most of the industry’s API-related security incidents. The next year, this was no longer a major issue, as many businesses cleaned up their APIs. In 2024, it’s vital to focus on web application firewalls.

Manufacturers clearly understand the importance of safeguarding data. The 2023 Noname security revealed that 75% of manufacturing respondents said API security was more of a priority than it was 12 months prior, while only 9% ranked it as less of one.
 
But you can never be too careful. Cybercriminals are becoming more sophisticated every day, and attack surfaces continue to grow. In 2024, focus on API security to keep your data safe and drive positive business outcomes.