APAC organisations are increasingly relying on artificial intelligence and machine learning (AI/ML) enabled solutions to tackle a wide array of security challenges around Application Programming Interfaces (APIs).
F5’s latest 2024 Strategic Insights: API Security in APAC revealed that one in five APAC organisations have adopted AI/ML technologies to detect and mitigate sophisticated threats, such as server-side request forgery (SSRF), that may be overlooked by traditional security measures.
The report also says API Gateways (20%) are widely adopted by organisations across the region for strong access control and to mitigate a broad spectrum of vulnerabilities such as unrestricted access to sensitive business flows.
“Applications have become the front door to cybercrime, and cybercriminals increasingly use APIs as the key. Across the APAC region, we have seen more attacks, with increasing speed, scale and sophistication as cybercriminals leverage AI-powered tools,” said Mohan Veloo, chief technology officer for Asia Pacific, China and Japan for F5.
Given this, he concludes that protecting API connections and the data that runs through them has become a critical security challenge for APAC organisations, especially with many looking to deliver AI.
Manoj Menon, founder and CEO at Twimbit, believes that APAC organisations are facing unique API security challenges that differ significantly from global OWASP rankings.
“The research highlights the pressing need for tailored security measures to address specific risks such as broken authentication, server-side request forgery, and security misconfiguration,” said Menon.
“Countries like Malaysia, New Zealand, South Korea, and India are prioritizing these issues, reflecting the diverse API adoption patterns across the region. It's clear that a focus on robust testing, strong access control and continuous runtime protection is essential for a holistic API security approach in APAC,” he continued.
While APAC organisations look to protect their APIs during runtime, many also increasingly recognise the importance of guarding APIs right from development. Having robust code security standards and practices (18%) has emerged as a fundamental strategy among the region’s organisations to guard APIs against a broad range of complex vulnerabilities, from broken object-level authorisation and security misconfiguration issues to SSRF.
Veloo says at present API security is more important while conceding that it is also more complex than ever. The report reveals that more organisations are shifting left along the API lifecycle, while still attempting to shield right.
Other key findings specific to APAC:
- Broken authentication, server-side request forgery, and security misconfiguration are top concerns. This is driven by widely used REST/RPC technologies, high use of internal APIs and diverse deployments across the region.
- Security testing and access control are top priorities underscoring the importance of preventative measures to mitigate risks associated with unauthorized access and ensure robust API security before deployment. APAC organisations took a balanced approach towards runtime protection and discovery, with posture management ranking lowest in priority.
- Around API security testing, organisations are balancing traditional methods like Static Application Security Testing (SAST) (54%) and Dynamic Application Security Testing (DAST) (51%) with emerging strategies such as Active API Security Testing (51%). There is industry-wide recognition that diverse testing strategies are important.
- APAC organisations cited heightened concern over potential risks from external entities (59%). Other priorities include compliance with established standards (54%) and secure app-to-app interactions (49%). This reflects trends toward increasing connectivity and highlights the importance of comprehensive security frameworks to address evolving API risks effectively
- Data leakage (53%) is the highest priority concern for APAC organisations in API run time protection, underscoring the urgency in protecting sensitive information. There’s also an industry-wide emphasis on maintaining data integrity (28%) and protecting sensitive information through detection and masking techniques (23%).
- APAC organisations are most concerned with identifying APIs that could expose sensitive data or vulnerabilities (63%) and understanding API usage patterns to detect unusual patterns that could indicate breaches or misuse (56%). Zombie APIs (42%) and Shadow APIs (39%) are slightly lower in priority but remain significant concerns.
