Cyber Security

Top Challenges Faced by CISOs in Securing APIs

In 2023, it has never been more critical for CISOs to secure API ecosystems.

There are many advantages to APIs. The main benefit is the interconnectivity of separate services and the exchange of critical data with employees, partners, and customers.

But the modern company has thousands of APIs. They’re changing very quickly too. APIs are a veritable goldmine for hackers because of the sensitive data they’re connected to. And API security breaches are on the rise.

Securiti says API mistakes cause the biggest data breaches. Here are the top issues CISOs face in establishing a secure API structure.

API Security Program / Strategy

Wallarm says 48.8% of CISOs consider their API security program their top concern.

CISOs are tasked with figuring out what a comprehensive API security program looks like. There are many nuances and factors to consider with APIs. For example, when an API is updated, it may create new security issues it previously did not have.

Security strategies, therefore, can’t be static. They must also update or at least account for how changes in the API ecosystem could affect overall security.

The security program of the past may have been antivirus software, a firewall, and secure passwords. This is a good starting point. But today, there is so much more to be mindful of.

But a secure API plan must be created. Security and IT teams depend on the CISO for guidance and direction. And CISOs are confronted by this reality.

Risk Assessment

Hand in hand with API security programs. SALT’s A CISO’s Essential Guide to API Security says risk assessment has never been more complicated.

The pace of development is only getting faster. That means risks must also be assessed faster. This makes priority management critical. Risks and vulnerabilities must be understood and addressed logically. 

Plus, API security investments need to be made wisely.  

Change Management for New APIs

The subset of API security strategy raises the concern of change management.

Process Tempo says:

“New APIs are deployed quickly without proper documentation, governance, and change control.”

Each new API deployment requires new infrastructure. And this requires a clear understanding of the integration, possible threats and vulnerabilities, and what steps must be taken under what circumstances.

API Threat Detection

Through many conversations with CISOs, Process Tempo identified detecting API threats as one of six top concerns.

Many organizations aren’t aware of how many APIs they have. “Shadow APIs,” as it were, make it impossible to know all possible security risks.

CISOs must find a process for detecting and identifying all possible threats to API. Not just in real-time. But also in advance so that something can be done about it.

Attack Surface

34.1% of CISOs are most concerned with attack surface, according to Wallarm.

The growth of APIs is nothing short of explosive. Nordic API says over 90% of developers use APIs. While 69% use third-party APIs, 20% use internal or private APIs. 

MarketsandMarkets says the API management market size is expected to grow from $4.5 billion in 2022 to $13.7 billion in 2027.

Increased API adoption can only mean one thing—a growing attack surface. More APIs mean more risks and vulnerabilities to identify. And many of them can’t necessarily be identified upfront. Developers must move fast, so they often cannot address all concerns upfront.

Nevertheless, all attack vectors must be identified for complete security. This only gets more complex with additional integrations. Legacy APIs (that aren’t updated) can be problematic too.

Protection Perimeter

One of the key concerns to secure API, says Process Tempo, is that protection is rarely a one-and-done operation. In their own words:

“There is rarely a single ‘gateway’ to enforce protection.”

Many security structures may need to be created for different integrations and applications.

Process Tempo says API traffic consists of both internal and external usage. Application API protection is required for both.

Manual Security Configurations

Process Tempo indicates manual security configurations must be made for every new API. Secure API is a time-consuming task in an ecosystem with thousands of APIs.

IT & Cybersecurity Talent

12.2% of CISOs had engineers and staff experts as their top concern, per Wallarm.

CISOs believe that good IT and security talent help them improve API security. Experts can help find risks and vulnerabilities. They can suggest partners and vendors. They can recommend specific tools. They can even support CISOs at the strategic level.

In April 2022, Forbes senior contributor Edward Segal warned of security staff shortages. He quoted the Philadelphia Inquirer, which said there were almost 600,000 unfilled cybersecurity positions despite the U.S. cybersecurity workforce being one million strong.

No wonder CISOs are so concerned about the availability of cybersecurity talent to prevent API security breaches.

Siloed DevOps & Security Teams

According to Process Tempo, as a subset of engineers and staff experts, CISOs voiced their concern for the sometimes-fractured relationship between DevOps and their security team.

They add that 30% of APIs were deployed without input from IT security. This means security concerns often aren’t addressed in advance.

Reliable Products & Vendors

Wallarm said 4.9% of CISOs believed trusted products and vendors were a top concern.

CISOs must be aware of all available solutions. But their job doesn’t end there. They must find the right products and vendors for their situation. There are many newcomers to the market. And that can make it hard to know who to trust.

Then comes the technical issue of identifying specific needs. Which solution best matches the API security challenges a CISO wants to address? These concerns can be discussed in the consultation. But of course, this requires additional time.

Conclusion: CISO Priorities 2023

What are your greatest concerns as you look to secure your integrations? How do you plan to secure your APIs? The journey begins with accepting that API security is an urgent need. Then, identify the right strategy and partners. API security is possible with the right API protection solution like AppTrana.


Vinugayathri is a Senior content writer of Indusface. She has been an avid reader & writer in the tech domain since 2015. She has been a strategist and analyst of upcoming tech trends and their impact on the Cybersecurity, IoT, and AI landscape. She is a content marketer simplifying technical anomalies for aspiring Entrepreneurs.

Recent Posts

Critical Exim Mali Server Vulnerability Impacts 1.5 Million Email Servers

According to recent findings by security researchers, more than 1.5 million email servers are currently…

4 hours ago

AT&T Massive Data Breach – Affecting Nearly All Customers’ Call & Text Records

AT&T, one of the largest telecommunications companies in the United States, has disclosed a significant…

16 hours ago

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

18 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

20 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

22 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

22 hours ago