Asia-Pacific (APAC) organisations are increasingly relying on artificial intelligence and machine learning (AI/ML)-enabled solutions to tackle a wide array of security challenges around application programming interfaces (APIs), according to F5’s 2024 Strategic Insights: API Security in APAC report. The report examines the challenges and opportunities in API security in Asia Pacific (APAC).
With APIs increasingly being the point of attack for cybercriminals, one in five APAC organisations have adopted AI/ML technologies to detect and mitigate sophisticated threats, such as server-side request forgery (SSRF), that may be overlooked by traditional security measures. API gateways (20%) are also widely adopted by organisations across the region for strong access control and to mitigate a broad spectrum of vulnerabilities such as unrestricted access to sensitive business flows.
“Applications have become the front door to cybercrime, and cybercriminals increasingly use APIs as the key. Across the APAC region, we have seen more attacks, with increasing speed, scale and sophistication as cybercriminals leverage AI-powered tools,” said Mohan Veloo, CTO for Asia Pacific, China and Japan, F5.
“As such, protecting API connections and the data that runs through them has become the critical security challenge for APAC organisations, especially with many looking to deliver AI.”
“APAC organisations are facing unique API security challenges that differ significantly from global OWASP rankings. The research highlights the pressing need for tailored security measures to address specific risks such as broken authentication, server-side request forgery, and security misconfiguration.
"Countries like Malaysia, New Zealand, South Korea, and India are prioritising these issues, reflecting the diverse API adoption patterns across the region. It's clear that a focus on robust testing, strong access control and continuous runtime protection is essential for a holistic API security approach in APAC,” said Manoj Menon, Founder and CEO at Twimbit.
While APAC organisations look to protect their APIs during runtime, many also increasingly recognise the importance of guarding APIs right from development, F5 said. Having robust code security standards and practices (18%) has emerged as a fundamental strategy among the region’s organisations to guard APIs against a broad range of complex vulnerabilities, from broken object level authorisation and security misconfiguration issues to server-side request forgery (SSRF).
“Today, API security is more important, but also more complex than ever. Findings from our report clearly show that more organisations are shifting left along the API lifecycle, while still attempting to shield right. F5 is bringing advanced API code testing and telemetry analysis to F5 Distributed Cloud Services, creating the industry’s most comprehensive and AI-ready API security solution.
"F5 Distributed Cloud Services can offer API discovery, testing, posture management, and runtime protection, all in a single platform, allowing organisations to gain true visibility and security from code to cloud,” Veloo added.
Other report highlights for APAC organisations include:
APAC faces unique API security challenges
Security challenge rankings by APAC organisations diverge from global OWASP rankings, with broken authentication, SSRF, and security misconfiguration emerging as top concerns. This is driven by widely used representational state transfer/remote procedure call (REST/RPC) technologies, high use of internal APIs and diverse deployments across the region.
Security testing and access control are top priorities in the API security lifecycle
This underscores the importance of preventative measures to mitigate risks associated with unauthorised access and ensure robust API security before deployment. APAC organisations took a balanced approach towards runtime protection and discovery, with posture management ranking lowest in priority.
APAC is maturing in its approach to API security testing
Organisations are balancing traditional methods like static application security Testing (SAST) (54%) and dynamic application security testing (DAST) (51%) with emerging strategies such as active API security testing (51%). This reflects an industry-wide recognition of the importance of diverse testing strategies.
Controlling external users is the top concern in API access control
APAC organisations cited heightened concern over potential risks from external entities (59%). Other priorities include compliance with established standards (54%) and secure app-to-app interactions (49%). This reflects trends toward increasing connectivity and highlights the importance of comprehensive security frameworks to address evolving API risks effectively, F5 said.
Strong focus on protecting data against leakage and tampering
Data leakage (53%) is the highest priority for APAC organisations in API runtime protection, underscoring the urgency in protecting sensitive information. There’s also an industry-wide emphasis on maintaining data integrity (28%) and protecting sensitive information through detection and masking techniques (23%).
Concerns about discovering high-risk APIs and monitoring API usage
APAC organisations are most concerned with identifying APIs that could expose sensitive data or vulnerabilities (63%) and understanding API usage patterns to detect unusual patterns that could indicate breaches or misuse (56%). Zombie APIs (42%) and shadow APIs (39%) are slightly lower in priority but remain significant concerns.
Explore
Download the 2024 Strategic Insights: API Security in APAC report at https://www.f5.com/c/apcj-2024/asset/2024-strategic-insights-api-security-in-apac
*To evaluate the current landscape of API security in APAC, Twimbit conducted research on behalf of F5 in 1H24, surveying 297 professionals from various sectors, including security, DevOps, SecOps, and application development. Respondents were distributed across 11 APAC markets: Australia, mainland China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, Singapore, Taiwan, and Thailand.
No comments:
Post a Comment