A new survey highlights the widespread nature of API security incidents and the lack of full inventories of potentially dangerous APIs. Credit: iStock A report released this week by OpinionMatters and commissioned by Noname Security found that more than three out of four senior cybersecurity professionals in the US and UK said that their organization had experienced at least one API-related security incident within the last 12 months.A similar number, 74%, said that they had not completed a full inventory of all APIs in their systems, or have full knowledge of which ones could return sensitive data. The most common security gaps identified were dormant APIs—APIs that have been ostensibly replaced but remain in operation—authorization vulnerabilities, and web application firewalls.With that said, a strong majority—71%—also said that they were confident in the API security provided by their communications service provider, indicating, according to Noname, that there’s a level of complacency at work around the topic. “There is clearly a disconnect between what is happening in the real world, and organizational attitudes towards API security,” the report said. “The level of misplaced confidence around API security is disproportionately high in comparison to the number and severity of API-related breaches. This points to the need for further education by security, [application security], and development teams around the realities of API security.” Digital transformation, the report added, will only make API security more important as time goes on. The authors cited a Gartner report that said that API-related breaches could become the most common type of security incident as of this year.Utility, manufacturing sectors have biggest API security issuesThe most vulnerable industries, according to the survey, were energy and utilities, as well as manufacturing—78% of respondents in the former industry reported some type of API breach in the previous year, as well as 79% in the latter. Only 19% of energy and utility company respondents reported having a full API inventory or full insight into which of their APIs were potential points of vulnerability. UK respondents were slightly more likely to have real-time insight into their potential API vulnerabilities, as well as a better sense of overall API inventory—14% of UK respondents reported real-time testing, with just 8% of US users saying likewise, and 28% said they had fully inventoried their APIs and potentially sensitive data, compared to 24% for US respondents.Related: 9 API security tools on the frontlines of cybersecurity Related content feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security news New CISO appointments 2024 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Apr 26, 2024 14 mins CSO and CISO IT Jobs IT Governance news Top cybersecurity product news of the week New product and service announcements from Forcepoint, Ionix, Amplifier Secutiry and Torq. By CSO staff Apr 26, 2024 81 mins Generative AI Security feature Looking outside: How to protect against non-Windows network vulnerabilities Security administrators who work in Windows-based environments should heed the lessons inherent in recent vulnerability reports. By Susan Bradley Apr 25, 2024 7 mins Windows Security Network Security Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe