76% of companies had an API-related security incident in the last year, and 74% of cybersecurity professionals don't know which APIs are returning sensitive data

More than three-quarters (76%) of respondents in a new survey experienced an API-related security incident in the past 12 months, mainly due to inactive/zombie APIs, license vulnerabilities, and security breaches.Firewall Web applications.

The Noname Security study also shows that 74% of cybersecurity professionals do not have a complete API inventory or know which APIs return sensitive data.

Shay Levy, chief technology officer and co-founder of Noname Security says:Our research has highlighted the disconnect between large incidents, low levels of visibility, effective monitoring and testing of the API environment, and misplaced confidence that existing tools prevent attacks. This underscores the need for more training for the security, AppSec and development teams on the realities of API security testing.“

Among other findings, 71% of respondents expressed confidence and satisfaction that they had adequate API protection. Less than half of the respondents (48%) had a view of the security status of APIs enabled.

Only 11% of respondents test APIs for signs of abuse in real time, and 39% test them less than once a day and even once a week. 67% of respondents are confident that their DAST and SAST tools are capable of testing APIs.

There are some interesting geographical differences: UK respondents (28%) are more likely to have a full inventory of APIs and know which ones expose sensitive data, compared to the US (24%). However, in the US, 44% have visibility into their entire inventory of APIs, but don’t know which ones are showing sensitive data, compared to 38% in the UK. This tends to indicate that US organizations care more about API-driven growth than they are about securing existing APIs.

There are also differences between the teams: 81% of CISOs reported having experienced an API-related security incident, compared to just 53% of AppSec professionals. Additionally, 58% of CIOs say it’s easy to scale API security solutions, while nearly a third (29%) of AppSec respondents say it’s difficult.