2023 SANS Survey On API Security
2023 SANS Survey On API Security
This migration led to increases in performance and flexibility, but as the old saying
goes, “There is no such thing as a free lunch.” Those advantages came at the expense
of additional complexity and, as the other old saying goes, “Complexity is the enemy of
security.” Distributed applications invariably increase both the attack surface available to
malicious actors and the likelihood of vulnerabilities being built into production code.
Like software developers, API writers are highly skilled at capturing legitimate business
requirements and defining how legitimate business needs can be met efficiently. Modern
APIs also must support a variety of computing platforms and user devices, which means
that APIs are a threat surface that malicious actors may try to subvert, corrupt, or disrupt
in unexpected ways. Most APIs get updated many times as attackers find vulnerabilities
that will then need to be mitigated.
The most used standards for implementing APIs are Simple Object Access Protocol (SOAP)
and Representational State Transfer (REST). SOAP is XML-based and incorporates WS-
Security for encryption, digital signing, and authentication services. REST is HTML-based
and uses HTTPS and JSON standards.
1
S&P Global Market Intelligence, “The 2022 API Security Trends Report,” https://nonamesecurity.com/resources/api-security-trends-report/
Although those security activities are well known, there are often gaps in knowledge, skills,
and management prioritization in applying them to API security issues. The SANS API
security survey was conducted to determine enterprise awareness, readiness, and future
plans for dealing with API security risks.
Survey Results
In most publicly reported security incidents, the top three exploited vulnerabilities are
generally:
Frameworks in Use
Cybersecurity frameworks provide a common language and reference
model for determining the completeness of a security program, exposing
gaps, and assessing risks. Mature security programs generally use full-
coverage frameworks such as the Center for Internet Security Critical
Security Controls or the NIST Cybersecurity framework.
requires a well-defined set of processes, including: 0% 10% 20% 30% 40% 50% 60%
• D
iscovery/inventory—Knowing what systems, Figure 4. Frameworks Used to
Define Application and API Risk
networks, resources, and applications are relied on for business operation
• V
ulnerability assessment and prioritization—Determining if assets have
vulnerabilities and their level of exposure and criticality
• R
emediation/mitigation—Applying patches to or replacing vulnerable assets or
shielding those that cannot be remediated
2
OWASP is a nonprofit organization that has been leading community efforts to improve the security of applications and the accuracy and effectiveness of
application security tools since 2001.
3
ITRE, a nonprofit company that operates US federally funded research labs, started ATT&CK in 2013 to document the tactics, techniques, and procedures
M
(TTPs) actively being used to compromise enterprise networks, systems, applications, and data. The MITRE ATT&CK framework is a widely used model for
defining API threat models and assessing current and needed security posture against API threats.