5 Alarming API security gaps that are putting your business at risk

By Gloria Methri

In a landscape increasingly dominated by artificial intelligence, a newly released report by F5 has revealed concerning truths about the current state of API security across industries.

The ‘2024 State of Application Strategy Report: API Security’ highlights significant gaps in API protection, exposing them to potential threats that could jeopardise enterprise security and operations. These challenges are magnified by the rapid proliferation of APIs in today’s digital landscape. Here are the five key truths that emerged from the report:

1. Unsecured APIs Are Widespread

The report reveals that less than 70% of customer-facing APIs are secured with HTTPS, leaving nearly one-third completely unprotected. In stark contrast, 90% of web pages now use HTTPS, showcasing a troubling disconnect in API security practices.

2. Rapid API Proliferation

Organisations are managing an average of 421 different APIs, most of which are hosted in public cloud environments. This rapid growth further complicates the security landscape, with many APIs remaining vulnerable to attacks. Less than 70% of customer-facing APIs are secured using HTTPS (Hypertext Transfer Protocol Secure), leaving nearly one-third of these APIs completely unprotected.

3. Outdated Security Models

APIs are increasingly connecting with AI services like OpenAI, yet current security models largely focus on inbound traffic. This oversight leaves outbound API calls susceptible to threats, emphasising the need for a more adaptive approach.

4. Fragmented Security Responsibility

Responsibility for API security is split across different teams—53% of organisations manage it under application security, while 31% use API management platforms. This fragmentation can lead to inconsistent security practices and coverage gaps.

5. Demand for Programmable Security Solutions

The report highlights a high demand for programmable security capabilities, with organisations recognising the need for real-time inspection and response to API traffic and threats. By integrating API security into both development and operational phases, organisations can better protect their digital assets against a growing array of threats.

“APIs are becoming the backbone of digital transformation efforts, connecting critical services and applications across organisations,” said Lori MacVittie, Distinguished Engineer at F5. “However, as our report indicates, many organisations are not keeping pace with the security requirements needed to protect these valuable assets, especially in the context of emerging AI-driven threats.”

“APIs are integral to the AI era, but they must be secured to ensure that AI and digital services can operate safely and effectively,” added MacVittie. “This report is a call to action for organisations to re-evaluate their API security strategies and take the necessary steps to protect their data and services.”