F5’s 2024 State of Application Strategy Report: API Security reveals alarming deficiencies in API protection, highlighting critical vulnerabilities that could endanger enterprise security. Released on October 3, 2024, the report emphasizes the rapid growth of APIs in the digital landscape, with less than 70% of customer-facing APIs secured using HTTPS. This leaves nearly one-third of these APIs vulnerable, contrasting sharply with the 90% of web pages currently utilizing HTTPS.
Lori MacVittie, a distinguished engineer at F5, notes that while APIs are essential for digital transformation, many organizations are failing to meet the necessary security standards, particularly in light of emerging AI threats. The report identifies several key issues:
- API Proliferation: Organizations typically manage around 421 APIs, primarily hosted in public cloud environments. However, many customer-facing APIs remain unprotected.
- Evolving Security Needs: As APIs increasingly interface with AI services, security measures must adapt to protect both inbound and outbound traffic. Current practices tend to focus predominantly on incoming traffic, leaving outbound calls at risk.
- Fragmented Security Responsibility: The responsibility for API security is often divided within organizations, with 53% managing it under application security and 31% through API management platforms. This division can create inconsistencies and gaps in security coverage.
- Demand for Programmable Security: Survey respondents highlighted the importance of programmability in API security solutions, indicating a need for real-time inspection and response to threats.
To mitigate these vulnerabilities, the report advises organizations to adopt comprehensive security strategies covering the entire API lifecycle—from design to deployment. Integrating API security into both the development and operational phases is crucial for safeguarding digital assets against an increasing array of threats. The findings serve as a call to action for organizations to reassess their API security frameworks to ensure safe and effective operation in the AI-driven era.