According to the report, as APIs become a key target for cyberattacks, enterprises in the Asia-Pacific region are adopting AI/ML technologies to detect and mitigate sophisticated cyberattacks that traditional security defense technologies cannot detect, such as Server-Side Request Forgery (SSRF). About 20% of enterprises are adopting API gateways to mitigate a wide range of vulnerabilities, including strong access control and unrestricted access to sensitive business flows. In the case of Korean enterprises, the adoption rate of AI/ML solutions reached 28.5%.
“Applications have become the gateway to cybercrime, and cybercriminals are increasingly using APIs as the key to that door,” said Mohan Velu, CTO of F5 APCJ. “As cybercriminals leverage AI-based tools, attacks are increasing in speed, scale, and sophistication. Securing API connections and the data transmitted over them has become a critical security imperative, especially for many APAC companies looking to deliver AI.”
Our research also shows that many companies want to protect their APIs during runtime, and there is growing recognition that it is important to protect APIs from the early stages of development.
“API security is more critical today than ever, but it’s also more complex than ever,” Bellew said. “The report’s findings clearly show that while more enterprises are implementing shift-left approaches along the API lifecycle, they’re still trying to shield-right as well.”
Key findings from the report include:
- The Asia Pacific region is analyzed to be facing unique API security threats. The ranking of security threats selected by Asia Pacific companies is quite different from the global OWASP ranking. Authorization violation (Broken Authentication), SSRF, and security configuration errors were identified as the biggest concerns. This is due to the fact that REST/RPC technology is widely used throughout the Asia Pacific region, the high usage rate of internal APIs, and various deployment environments.
- APAC enterprises prioritize security testing and access control as top priorities in the API security lifecycle. They emphasize the importance of preventative measures to mitigate risks associated with unauthorized access and ensure robust API security prior to deployment. APAC enterprises take a balanced approach to runtime protection and API discovery, with state management being the least prioritized.
- Many companies are taking a more sophisticated approach to API security testing. Companies are balancing traditional methods, such as Static Application Security Testing (SAST) at 54% and Dynamic Application Security Testing (DAST) at 51%, with newer strategies, such as Active API Security Testing (APT) at 51%. This appears to reflect an industry-wide recognition of the importance of a variety of testing strategies.
- External user control emerged as the top concern for API access control. APAC companies reported increased concerns about potential external risks (59%). Other priorities included established compliance (54%) and secure app-to-app interactions (49%). This reflects the trend toward increased connectivity and highlights the importance of a comprehensive security framework to effectively address evolving API risks.
- A focus on protecting data from data leakage and manipulation was identified. Data leakage (53.3%) is the top priority for APAC enterprises in API runtime protection, showing the urgency of protecting sensitive information. In addition, maintaining data integrity (27.7%) and protecting sensitive information through detection and masking technology (23.4%) are emphasized across the industry.
- APAC companies are focusing on discovering high-risk APIs and monitoring API usage. Identifying APIs that could expose sensitive data or vulnerabilities (63%) and understanding API usage to detect unusual patterns that could indicate a breach or misuse (56%) were the most sensitive responses. Zombie APIs and shadow APIs were relatively low priority at 42% and 39%, respectively, but are still considered important.
editor@itworld.co.kr
Source: www.itworld.co.kr
