Survey

2023 SANS Survey

on API Security
Written by John Pescatore
July 2023

©2023 SANS™ Institute

Introduction
From its beginning, computing has involved continual movement from monolithic to
distributed and layered systems. Computers went from mainframes to departmental to
client/server to virtual machines to cloud computing. Networks went from point-to-point
connections to layered physical networks to internet communications. Applications went
from monolithic blocks of code to layered to distributed applications. See Figure 1.

This migration led to increases in performance and flexibility, but as the old saying
goes, “There is no such thing as a free lunch.” Those advantages came at the expense
of additional complexity and, as the other old saying goes, “Complexity is the enemy of
security.” Distributed applications invariably increase both the attack surface available to
malicious actors and the likelihood of vulnerabilities being built into production code.

Modern applications use

application programming
interfaces (APIs) to
define rules for how
different elements
should communicate Figure 1. Evolution of Computing
with each other. In a distributor’s catalog, for example, rather than having to continually Migration (Source: Axway)
modify one gigantic application every time a supplier is added or deleted, or their listing
is changed, the distributor publishes APIs that define data flows for vendors to join, leave,
update, and so on. These APIs essentially capture the business processes and break them
into the lower-level communications required to efficiently enable business partners and
customers to work with the business. A 2022 survey by 451 Group Research reported the
average enterprise has more than 15,000 APIs in use.1

Like software developers, API writers are highly skilled at capturing legitimate business
requirements and defining how legitimate business needs can be met efficiently. Modern
APIs also must support a variety of computing platforms and user devices, which means
that APIs are a threat surface that malicious actors may try to subvert, corrupt, or disrupt
in unexpected ways. Most APIs get updated many times as attackers find vulnerabilities
that will then need to be mitigated.

The most used standards for implementing APIs are Simple Object Access Protocol (SOAP)
and Representational State Transfer (REST). SOAP is XML-based and incorporates WS-
Security for encryption, digital signing, and authentication services. REST is HTML-based
and uses HTTPS and JSON standards.

1
S&P Global Market Intelligence, “The 2022 API Security Trends Report,” https://nonamesecurity.com/resources/api-security-trends-report/

2023 SANS Survey on API Security 2

The bottom line is that API security, like application security, starts with:

• Inventory of APIs in use and processes that use those APIs

• Vulnerability assessment of APIs in use

• Threat assessment of active attacks exploiting those vulnerabilities

• Risk-based mitigation of critical API vulnerabilities

Although those security activities are well known, there are often gaps in knowledge, skills,
and management prioritization in applying them to API security issues. The SANS API
security survey was conducted to determine enterprise awareness, readiness, and future
plans for dealing with API security risks.

Survey Results
In most publicly reported security incidents, the top three exploited vulnerabilities are
generally:

1. Reusable privileged credentials obtained via phishing

2. Attackers exploiting misconfigured servers or cloud services

3. Exploitation of missing patches on servers and PCs

These same issues (weak authentication, misconfigured settings/positions, and failure to

use latest versions) are vulnerabilities that are also exploited in attacks focusing on APIs.

Perceived Risks Top Three Areas of Risk

1st choice 2nd choice 3rd choice

Survey respondents ranked phishing and missing patches
as the top two API security risks. See Figure 2. Of note, 38.3%
Phishing to obtain
18.9%
misconfigured servers/services were rated last in the reusable credentials
9.1%
weighted rankings, below exploiting vulnerable apps/APIs
24.0%
with zero-day (no patch available) attacks. Attackers exploiting
missing patches
23.4%
20.6%
The weighted results from this same question show the
12.0%
following ranking: Attackers exploiting vulnerable
22.9%
applications/APIs
29.1%
1. Phishing to obtain reusable credentials
Accidental disclosure 9.1%
2. Attackers exploiting missing patches of sensitive/covered 19.4%
information by users 21.1%
3. Attackers exploiting vulnerable applications/APIs
Misconfiguration of 12.0%
4. Accidental disclosure of sensitive/covered servers/services by 8.6%
system administrators 12.0%
information by users
2.3%
5. Denial of service Denial of service 6.3%
8.0%
6. Misconfiguration of servers/services by system
2.3%
administrators Other 0.6%
0.0%
0% 10% 20% 30% 40%

Figure 2. Top Three Areas of Risk

2023 SANS Survey on API Security 3

Takeaways
In the ranked weightings, when thinking about API security risks, respondents seemed to
be underweighting the risk of misconfigured applications and overestimating zero-day
risks. However, the same number of respondents chose misconfigured applications as
their top risk as chose zero-day risks, indicating awareness of misconfiguration risks.
Security managers should prioritize assuring that an accurate inventory
of APIs is maintained, that updated versions of APIs are in use, and that
configurations and options emphasize security.

Frameworks in Use
Cybersecurity frameworks provide a common language and reference
model for determining the completeness of a security program, exposing
gaps, and assessing risks. Mature security programs generally use full-
coverage frameworks such as the Center for Internet Security Critical
Security Controls or the NIST Cybersecurity framework.

More than half of respondents cited the Open Worldwide Application

Security Project (OWASP)2 Application Security and API Top Ten lists
(Figure 3), and the MITRE ATT&CK Framework3 as the basis for defining
application and API risk. See Figure 4.

Figure 3. OWASP API Security Top 10 Vulnerabilities

Takeaway
The OWASP API Top 10 vulnerabilities and the MITRE How does your organization define application/API risks?
ATT&CK model are powerful community-driven starting Select all that apply.
points for vulnerability assessment of APIs in use,
OWASP AppSec Top 10 54.9%
assessing protection gaps and prioritizing action steps to
Mitre ATT&CK 54.9%
mitigate API risks. Framework
OWASP API 51.8%
Security Top 10
Tools/Controls in Use Cloud security alliance 40.4%
CIS Critical 33.2%
Vulnerability assessment and management is a core Security control
component of every successful cybersecurity program. It Other 5.2%

requires a well-defined set of processes, including: 0% 10% 20% 30% 40% 50% 60%

• D
 iscovery/inventory—Knowing what systems, Figure 4. Frameworks Used to
Define Application and API Risk
networks, resources, and applications are relied on for business operation

• V
 ulnerability assessment and prioritization—Determining if assets have
vulnerabilities and their level of exposure and criticality

• R
 emediation/mitigation—Applying patches to or replacing vulnerable assets or
shielding those that cannot be remediated

2
OWASP is a nonprofit organization that has been leading community efforts to improve the security of applications and the accuracy and effectiveness of
application security tools since 2001.
3
 ITRE, a nonprofit company that operates US federally funded research labs, started ATT&CK in 2013 to document the tactics, techniques, and procedures
M
(TTPs) actively being used to compromise enterprise networks, systems, applications, and data. The MITRE ATT&CK framework is a widely used model for
defining API threat models and assessing current and needed security posture against API threats.

2023 SANS Survey on API Security 4

General-purpose vulnerability discovery and
Which of the technologies/tools are currently in use? Select all that apply.
assessment tools often do not provide visibility
into API use and issues. Similarly, standard Web application firewall 61.9%

mitigation approaches such as denial of service, Application vulnerability test, static 55.8%

web security gateway, and application-level Application vulnerability 54.3%

test, dynamic
firewall products and services may not address API security testing 49.2%
API-level risks, though some web application Application-level firewall 37.1%
firewalls can provide API-level protection.
Web security gateway 33.5%
Of those respondents that are using at least Application inventory/discovery 33.0%
one tool, 23% are using tools or technologies
API discovery 29.4%
across three of the areas shown in Figure 5. App/API security features in content 29.4%
delivery network/load balancing
Almost two-thirds of respondents are using Denial of service – cloud based 27.4%
web application firewalls (WAFs) as part of API
Denial of service – on premise 12.2%
risk mitigation, and more than half cited use of 0% 10% 20% 30% 40% 50% 60% 70%
dynamic or static application security testing Figure 5. Technologies/Tools Currently in Use
tools. Those three controls were also the most mature—
more than 42% have been using WAFs for more than three How long have you used each of these technologies/tools?
years, while 38% and 35% have been using static and 1 year or less 3 to 10 years More than 10 years
dynamic application testing tools, respectively. See Figure 6 6.7%
Application inventory/
22.9%
for the full breakdown. Discovery
3.4%
API discovery tools are used by 29% of respondents, but only 11.2%
API discovery 14.5%
18% reported more than three years of experience using 3.9%
those tools; another 23% cited mature use of application- Application vulnerability
12.3%
test, static
38.0%
level discovery tools. API security features in DDoS and 7.3%
content delivery network/load balancing services were in 14.5%
Application vulnerability
34.6%
use by less than one-third of respondents. test, dynamic
7.3%

A wide variety of commercial products and open source 15.6%

API security testing 28.5%
software libraries are available today from larger application 5.6%

security vendors and smaller API security vendors. The ones 13.4%
Web application firewall 42.5%
currently in use by respondents are shown in Table 1 (on the 6.7%

next page) with four functional groupings as follows: 7.8%

Application-level firewall 21.8%
• D
 iscovery/inventory—Inclusive of application 7.8%
7.8%
inventory and application/API discovery Web security gateway 19.6%
6.1%
• S
 ecurity testing—Inclusive of application vulnerability
App/API security features 7.3%
testing and API security testing in content delivery 19.6%
network/load balancing 3.4%
• F irewall/gateway—Including web application and 8.9%
Denial of service—
application-level firewalls and web security gateways cloud based
13.4%
3.9%
• C
 loud-based services—Including app/API in content 1.1%
Denial of service—
on premises
5.6%
delivery and cloud-based DoS 4.5%
0% 10% 20% 30% 40%

Figure 6. Length of Time Each Technology/Tool Has Been in Use

2023 SANS Survey on API Security 5

Takeaways Table 1. Functional Group/Products Used
Discovering, assessing, and mitigating Functional Group Products Used

API risks is a complex problem that
requires multiple security controls
and processes to provide complete
coverage. Application-level tools already
in widespread use may provide partial
coverage—API security-specific controls
that provide full coverage are not yet
Discovery/Inventory ADS, Akamai, APIsec, Checkmarx One, Cloud Asset Inventory, Internal Tool,
Istio/GKE, ModSecurity, Postman, Streamline, Swagger, Tenable
Security testing APIsec, AppScan, Burp Suite, Enterprise, Checkmarx One, CodeQL, Coverity,
DAST, ESAPI WAF, FreeWAF, Gartner, HiHTTPS, ModSecurity, Nessus, NGAF,
Nikto, Owasp Dependency- Check, Paros, Postman, Qualys, SAST, SmartBear
ReadyAPI, Snyk, SoapUI, SonarQube, Snyk, Synopsys API Scanner, Tenable,
Veracode, Wulian, Zap
Firewall/Gateway Acunetix, Akamai, API, AWS Shield, AWS WAFv2, Azure WAF, Checkpoint,
Cisco, Citrix ADC, Cloud Armor, Cloudflare, F5, Forcepoint, GKE Network
Policy, Microsoft Azure, ModSecurity, Naxsi, NGAF, Norman Personal Firewall,
pfSense, Secure Web Gateway, TCP-Wrappers, UniWSG, URL, Word Fence

in widespread use. An underutilized Cloud-based services Akamai, Amazon Lightsail, AWS, AWS Shield, Azure DoS protection (against
excessive traffic, but not DOS caused from within the app), Cisco, Cloud
area is taking advantage of API security Armor, Cloud CDN, Cloudflare, LINUX: RUDY (r-u-dead-yet), Uptime Robot

controls that are included in DDoS

and load balancing services. Any use of tools from multiple vendors requires
investing in training of analysts and integration of results from disparate tools.

Visibility/Inventory Accuracy
One of the oldest sayings in cybersecurity is, “You can’t protect it if you
don’t know it’s there.” An accurate inventory of networks, computers, and
applications has long been considered the starting point for essential security
hygiene, but enterprises have struggled for years to reach even 80% accuracy
on asset inventories. Inventories of APIs
How accurate do you think your inventory is of APIs in use
face additional challenges; the average
on your production network at any given time?
application uses three APIs and cloud-native
30% 28.8% 28.3%
apps (often more).4

Most (57.1%) respondents reported API

20%
inventory accuracy of between 25% and 16.8%
14.1%
75%, with 20% reporting under 25% and 23%
reporting over 75%. See Figure 7 for specifics. 10%
6.0%
3.8%
2.2%
Takeaway
0%
We have no Unknown/ 1%–24% 25%–49% 50%–74% 75%–89% 90%–100%
API discovery/inventory accuracy should be inventory Unsure
of APIs
at least as high as overall asset inventory
Figure 7. API Inventory Accuracy
accuracy. Because vulnerable APIs are becoming the most common access point
for attacks, API inventory accuracy should increase and discovery should be
performed more often.

4
Nordic APIS, “APIs Have Taken Over Software Development,” October 27, 2020, https://nordicapis.com/apis-have-taken-over-software-development/

2023 SANS Survey on API Security 6

Plans for the Future For those technologies/tools not currently in use, which are you
planning to implement in the next two years? Select all that apply.
As seen in Figure 8, companies are planning to
close API security gaps in the future with the Web security gateway 14.1%
following four technologies and tools: Application vulnerability 12.9%
test, dynamic
• W
 eb security gateways (WSGs) (14%) Web application firewall 12.9%
App/API security features in content
• A
 PI security features in content delivery delivery network/load balancing
12.9%

network/load balancing (13%) API security testing 11.8%

• W
 eb application firewalls (13%) API discovery 10.0%

Application inventory/discovery 8.8%

• D
 ynamic application security testing (13%)
Application-level firewall 5.9%
All these tools can be effectively used to
Denial of service – cloud based 5.3%
increase API security, depending on where
and how they are used in the overall security Application vulnerability test, static 3.5%

architecture. In particular, WSGs are often placed Denial of service – on premise 1.8%
0% 2% 4% 6% 8% 10% 12% 14%
between user traffic and the internet and do
not provide protection for server/cloud-based Figure 8. Tools to be Implemented

applications. Similarly, WAFs may only be in the path between the internet and server/
cloud-based applications and not provide protection to user PCs against API attacks.
Content delivery networks (CDNs) and load balancers often span both areas. Choosing a
cloud- or CDN-agnostic solution for API discovery can help close many of these gaps.

Takeaway
Providing effective API security will require multiple tools from multiple vendors. To
increase both effectiveness and efficiency, common vendors chosen from across multiple
functions and services in existing services (such as CDNs/load balancers) should be
looked at first.

Staff Training Does any of your application development staff

receive training on application security?
The most effective approach to overall application security is to write
and/or buy secure applications. The same is true for APIs. The best
way to begin is to educate developers on secure coding practices and 12.4%
overall application security. More than 75% of respondents reported
Yes
training development staff on application security. See Figure 9. 11.3%

The bad news is that even trained developers make mistakes—writing No

and procuring applications and cloud services with vulnerable APIs. 76.3% Unknown/Unsure
Security staff also need to be trained on application and API security
issues. Training is not required for every security analyst or incident
responder, but enough trained personnel must be available to support
all functions and shifts.
Figure 9. Application Security
Training for Application
Development Staff

2023 SANS Survey on API Security 7

The good news is that more than 70% of
What percentage of your security staff has training on application security?
respondents (73%) reported training at least
29.3%
25% of their security team on application 30%

security (see Figure 10). The overall IT and IT 22.8%

security architecture and technology choices 20% 18.5%
will drive what is right for your organization. 14.1%

10%
Takeaway 6.5% 6.5%

Building security in is always the best 2.2%

0%
approach. Convince management to invest in Unknown/ None 1%–24% 25%–49% 50%–74% 75%–89% 90%–100%
Unsure
educating developers on API security. Some
Figure 10. Percentage of Staff
portion of your security staff should also Trained on Application Security
receive application/API security training. (Between 25%
and 75% of survey respondents received such training.)

Demographics
Most of the 231 survey respondents conduct operations from or
are headquartered in the United States, as shown in Figure 11.

Top 4 Industries Represented Organizational Size

Small
Technology (Up to 1,000)

Small/Medium
(1,001–5,000)
Healthcare
Medium
(5,001–15,000)
Banking and
finance Medium/Large
(15,001–50,000)

Education Large
(More than 50,000)
Each gear represents 10 respondents. Each building represents 25 respondents.

Operations and Headquarters Top 4 Roles Represented

Security administrator/
Ops: 75 Security analyst
HQ: 11 Ops: 94
HQ: 38
Ops: 81
HQ: 22 Security architect

Security manager or
Ops: 55 director
Ops: 159
HQ: 136 HQ: 5

Ops: 38 IT manager or director

Ops: 33 HQ: 3
Ops: 49
HQ: 7
HQ: 9
Each person represents 5 respondents.

Figure 11. Demographics of Survey Respondents

2023 SANS Survey on API Security 8

Seventy-eight percent of respondents
What role do you primarily play in application security?
currently play a role in application
I work closely with our application
security, with another 15% looking toward developers to build security in.
20.5%

future involvement. The majority of these Our application development team asks 16.4%
me for input periodically/occasionally.
respondents (23%) are involved with testing I review/test applications for vulnerabilities 22.6%
before they go into production.
applications for vulnerabilities before the I scan applications for vulnerabilities 21.0%
after they are in production use.
application is placed into production, quickly I monitor the network to detect attacks 14.4%
on or misuse of applications.
followed by those (21%) who scan applications I do threat hunting to determine if 3.6%
applications have been compromised.
for vulnerabilities once they have been place
Other 1.5%
in production. See Figure 12.
0% 5% 10% 15% 20% 25%

Figure 12. Roles of Respondents in

Results/Conclusions Application Security

API security is a complex area, requiring security leaders to upgrade/enhance

many security processes at a time when budgets and staffing are under pressure.
These factors put a premium on architectures and solutions that are both
effective and efficient. Just adding spending on more layers of products and more
staff is not feasible.

The key findings from this survey are:

• D
 iscovery and vulnerability assessment of APIs in use needs to be top
priority—Many APIs are already in use, and that number is increasing along
with constant updates to the existing inventory. Techniques for discovery
and classification of APIs need to advance analytics beyond whitelists and
other static approaches.

• P
 rotection/mitigation solutions are needed—Low levels of accuracy of API
inventory mean vulnerable APIs may be attackable for long periods of time.
Segmentation, shielding, and mitigation are needed until API development
and deployment security practices are more mature.

• T
 o be both effective and efficient, API security controls need to span both
user-to-application and application-to-application traffic—Risks exist in
both areas, and attackers will always find the low-hanging fruit. Applications
may be authenticated and approved but should only be allowed for a subset
of applications or servers.

2023 SANS Survey on API Security 9

Summary
Any new technology that can increase customer satisfaction, and ultimately revenue
and profit, will be rapidly adopted by businesses—and quickly probed for weaknesses
by criminals to enable malicious exploits. To be successful, businesses first have to
be movers not only in adopting such technology, but also in adapting, extending, and
improving security architectures and controls to mitigate new risk.

The application programming interfaces relied on by modern distributed applications are

the latest example of this. The essential security hygiene controls of strong authentication,
asset inventory, vulnerability management, and change control need to address API
security issues. Prevention and detection need to be upgraded to deal with API-centric
attacks, and infrastructure services (such as content delivery networks and denial of
service filtering) need to be put to work, as well.

Sponsor

SANS would like to thank this paper’s sponsor:

2023 SANS Survey on API Security 10