Guest: Rupesh Chokshi (LinkedIn)
Company: Akamai (Twitter) 
Show: Newsroom

Last April, Akamai published an App & API State of the Internet Report that exposed the sheer volume of application and application programming interface (API) attacks. It then partnered with the SANS Institute to conduct a global survey to determine the level of awareness and readiness among enterprises.

In this episode of TFiR: Newsroom, Akamai Senior Vice President and General Manager of Application Security Rupesh Chokshi shares the findings of the 2023 SANS Survey on API Security as well as his insights on the rapidly evolving security landscape.

The 2023 SANS Survey on API Security was conducted during the first quarter of 2023. The respondents included 231 application security professionals around the world. The focus was on API security. The goal was to know:

• What is the current level of awareness within the enterprise?
• What is their current thought process?
• How are they going about these things?

Key findings:

• Less than 50% of the respondents have API security testing tools in place.
• Only 29% have API discovery tools.
• Only 29% take advantage of API security controls that are included in DDoS and load balancing services. Hence, these features are underutilized.
• The top API security concerns were phishing, missing patches, and the exploitation of vulnerable applications/APIs.

On security:

• The security landscape and the threat vectors are continuously evolving. Companies need to treat security as a cat-and-mouse game, not a one-and-done project.
• Security is a business issue – it needs investment, a very comprehensive cybersecurity strategy, a widely accepted security culture, and trusted strategic partners.
• It is not just the group that sits under a CISO that is responsible for cybersecurity, hygiene, risk profiles, and posture management. The entire organization needs to be responsible because the brand is at stake, the customer data is at stake, the supply chain of interactions is at stake.
• Organizations have to systematically go about the security programs and evolve those programs as the landscape changes.
• Highlighting the lack of awareness and readiness for these API attacks is very important. Customers see value in visibility, discovery, detection, remediation, and response to the enforcement.
• API security improves compliance, risk management, and business process agility.
• The combination of variables — the traffic is growing, API transactions are growing, developers are putting in more applications in production, the connected economy — have created an opportunity and attack surface for bad actors to exploit.
• Vulnerable APIs are increasingly getting targeted, e.g., T-Mobile, Optus, Twitter.

Advice for companies looking to improve their API security posture:

• Be on the offensive with your security strategy. The 2023 API Security Survey as well as the recent Akamai State of the Internet Report all point to rampant attacks due to vulnerabilities.
• Focus on discovery, visibility, detection, and remediation.
• Have a broader end-to-end view, particularly in this era connected economy and the rapid digitization.
• Understand the landscape, the threat vectors, and what you need to do proactively.
• Follow best practices in address authentication, asset inventory, vulnerability management, and change control.
• Go with the right trusted strategic partner who can bring value forward, who can guide and demonstrate that they can do a lot at scale. Akamai, for example, brings a cohesive value proposition in application and API security to make it easy for the customer.

This summary was written by Camille Gregory.