Misconfigured APIs Make Up Two-Thirds of Cloud Breaches

Shadow IT and misconfigured APIs accounted for the vast majority of security incidents in the cloud last year, according to the 2021 IBM Security X-Force Cloud Threat Landscape Report. In particular, the report revealed that two-thirds of the incidents studied involved improperly configured APIs.


Here's what Salt Security and NTT Application Security had to say about the report's findings.


Michelle McLean, Vice President at Salt Security, a Palo Alto, Calif.-based provider of API security:

APIs are the heart of applications, powering business functionality and serving up data. In the recent Q3 State of API Security report, Salt Labs found that API traffic had increased 141% in the past six months while malicious API traffic increased a whopping 348%. And 94% of respondents had experienced an API security incident in the past 12 months.

Perhaps the clearest indicator that this market has reached a tipping point comes in recent Gartner research. In its August 25, 2021, report entitled “Advance your PaaS Security,” Gartner modified its long-standing security reference architecture to add a distinct pillar dedicated to API security. For years, Gartner noted three components to securing services:

  • WAF, WAAP, API gateway, and CDNs for edge security

  • CWPP for data plane security

  • CSPM for control plane security

Over those years, Gartner nested API security under the WAF/WAAP pillar. In its verbiage, the firm would acknowledge that some organizations might need dedicated API security. But the “picture” didn’t show it separately. By adding API security as a standalone core element of this security reference architecture, Gartner has acknowledged that protecting APIs requires dedicated API security tooling.

This explosive growth in the API security market brings both good news and bad news for buyers. On the upside, customers gain choices, and competition should improve product capabilities. On the downside, separating signal from noise gets harder as the noise gets louder and more voluminous, so organizations will need to dig in and better evaluate both the technical capabilities as well as the customer penetration and success each platform delivers.

Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based provider of application security:

APIs are fast becoming the technical basis for both B2B and B2C business models. As such, when APIs are developed and deployed, there is really no way to estimate all the possible places the APIs are going to get used. APIs are the silently but rapidly becoming one of the most critical pieces of the software supply chain. Organizations are now one vulnerable API call away from a potential major breach.

An underlying challenge that gets obscured is the fact that APIs today are facades to legacy systems which were never designed to be online or used in an integrated B2B or B2C setting. By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives. This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issues in the controlled trusted zones the legacy systems were designed to operate in.

APIs offer yet another level of configurability in terms of being able to compose new features and capabilities by combining the otherwise atomic APIs that are readily available. These APIs themselves offer a degree of “configurability” in the sense that they allow interacting parties to provide inputs that determine how the API call will respond. More over, these APIs are also built with the same principles of externalizing non-functional configurations like locale, principal, roles to name only a few.


###