[go: up one dir, main page]
Scribd
Upload
18 views2 pages

API Security Survey

The 2023 SANS Survey on API Security discusses the evolution of computing systems from monolithic to distributed architectures, highlighting the increased complexity and security risks associated with modern applications that utilize APIs. With enterprises averaging over 15,000 APIs, the document emphasizes the need for robust security measures as APIs represent significant attack surfaces for malicious actors. It also outlines the common standards for API implementation, namely SOAP and REST, which incorporate various security features.

Uploaded by

Elena Vaciago
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views2 pages

API Security Survey

The 2023 SANS Survey on API Security discusses the evolution of computing systems from monolithic to distributed architectures, highlighting the increased complexity and security risks associated with modern applications that utilize APIs. With enterprises averaging over 15,000 APIs, the document emphasizes the need for robust security measures as APIs represent significant attack surfaces for malicious actors. It also outlines the common standards for API implementation, namely SOAP and REST, which incorporate various security features.

Uploaded by

Elena Vaciago
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Survey

2023 SANS Survey


on API Security
Written by John Pescatore
July 2023

©2023 SANS™ Institute


Introduction
From its beginning, computing has involved continual movement from monolithic to
distributed and layered systems. Computers went from mainframes to departmental to
client/server to virtual machines to cloud computing. Networks went from point-to-point
connections to layered physical networks to internet communications. Applications went
from monolithic blocks of code to layered to distributed applications. See Figure 1.

This migration led to increases in performance and flexibility, but as the old saying
goes, “There is no such thing as a free lunch.” Those advantages came at the expense
of additional complexity and, as the other old saying goes, “Complexity is the enemy of
security.” Distributed applications invariably increase both the attack surface available to
malicious actors and the likelihood of vulnerabilities being built into production code.

Modern applications use


application programming
interfaces (APIs) to
define rules for how
different elements
should communicate Figure 1. Evolution of Computing
with each other. In a distributor’s catalog, for example, rather than having to continually Migration (Source: Axway)
modify one gigantic application every time a supplier is added or deleted, or their listing
is changed, the distributor publishes APIs that define data flows for vendors to join, leave,
update, and so on. These APIs essentially capture the business processes and break them
into the lower-level communications required to efficiently enable business partners and
customers to work with the business. A 2022 survey by 451 Group Research reported the
average enterprise has more than 15,000 APIs in use.1

Like software developers, API writers are highly skilled at capturing legitimate business
requirements and defining how legitimate business needs can be met efficiently. Modern
APIs also must support a variety of computing platforms and user devices, which means
that APIs are a threat surface that malicious actors may try to subvert, corrupt, or disrupt
in unexpected ways. Most APIs get updated many times as attackers find vulnerabilities
that will then need to be mitigated.

The most used standards for implementing APIs are Simple Object Access Protocol (SOAP)
and Representational State Transfer (REST). SOAP is XML-based and incorporates WS-
Security for encryption, digital signing, and authentication services. REST is HTML-based
and uses HTTPS and JSON standards.

1
S&P Global Market Intelligence, “The 2022 API Security Trends Report,” https://nonamesecurity.com/resources/api-security-trends-report/

2023 SANS Survey on API Security 2

You might also like