Poor API security may cost orgs up to $75B per year  

Today, Imperva released a report titled Quantifying the Cost of API Insecurity, which analyzed almost 117,000 security incidents and found that API insecurity costs organizations between $41 to $75 billion annually. 

It revealed that larger organizations had a higher risk of having API-related breaches, with enterprises making more than $100 billion in revenue being three to four times more likely to experience API insecurity than small or midsize businesses. 

Above all, the report highlights that failing to prioritize API is a costly mistake, particularly when so many insecure APIs are connected directly to backend databases where sensitive data is vulnerable to access and exfiltration. 

How are enterprises getting API security so wrong? 

Organizations are consistently failing to secure APIs, with 95% of organizations suffering an API security incident in the last 12 months, and 34% admitting they lack any kind of API security strategy — despite running APIs in production. 

“Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams,” said Lebin Cheng, vice president of API Security, Imperva. “Historically, these groups have been at odds —security is the party of no, and devops is irresponsible and moves too fast.” 

“In order to address these challenges, security leaders have to enable application developers to create secure code using technology that is lightweight and works efficiently,” Cheng added. 

Cheng recommends that any solutions that security teams deploy should include API discovery and data classification. This way, analysts can discover the schema of APIs, while identifying and classifying the data that flows through it, and while using testing to discover any potential vulnerabilities. 

The API security landscape 

With the widespread adoption of hybrid and multicloud environments, many organizations are beginning to look for solutions that can secure the APIs that exist throughout these decentralized environments. 

One of the providers leading the charge to secure APIs is Salt Security, which raised $140 million as part of a series D funding round and achieved a $1.4 billion valuation earlier this year. Salt Security provides an API protection platform that uses AI and machine learning to scan for APIs, vulnerabilities and exposed data. 

Another key provider in the market is Noname Security, which offers a real-time automated detection and response solution for API-driven threats, and raised $135 million as part of a series C funding round last year (bringing its total valuation to $1 billion).

The focus on API security is also growing among smaller providers like Corsha, which raised $12 million as part of a series A funding round at the start of this year.