Traceable AI today published a global survey of 1,548 IT and cybersecurity professionals that finds well over half (57%) work for organizations that have experienced a data breach incident involving application programming interfaces (APIs) in the last two years, with nearly three-quarters of those organizations experiencing three or more incidents.

Well over half (53%) have experienced one or more bot attacks involving their APIs, with 44% acknowledging that bot mitigation is a top challenge.

However, only 19% of respondents rated their API security defenses as highly effective, with more than half (53%) acknowledging web application firewalls (WAFs) and web app and API protection (WAAPs) are ineffective when it comes to identifying or preventing fraud at the API layer.

Richard Bird, chief security officer for Traceable AI, said the survey shines a spotlight on a security disconnect between the application development teams that build APIs and cybersecurity teams that are nominally responsible for securing API endpoints. Many cybersecurity leaders assume existing firewalls are capable of securing APIs without realizing that cybercriminals can easily extract data from a misconfigured API or tamper with business logic in a way that compromises a workflow.

Overall, the survey finds organizations now use an average of 131 third-party APIs, but only 16% said they have a “high ability” to mitigate external risks. That issue is likely to be further exacerbated by the rise of generative artificial intelligence (AI) platforms that are being invoked by APIs. Nearly two-thirds of respondents (65%) note that generative AI already represents a serious to extreme risk, with 60% also aware of the fact that these platforms also extend the overall size of the attack surface that needs to be defended.

The challenge is that while more organizations are aware of API security issues, there is still an ongoing debate over which team should be responsible for securing API. Many CISOs contend the responsibility lies with the application development teams that created these APIs, but any cybersecurity strategy that is dependent on someone doing the right thing is likely to fail, noted Bird.

As such, cybersecurity teams need to assume more responsibility for securing APIs that are now at the core of almost every modern application deployed in a production environment, he added. CISOs within the banking industry are taking the lead on that issue simply because they now realize how much money is now being exchanged between various systems via one type of API or another, added Bird.

Unfortunately, there are no standards for creating APIs and the number of frameworks for building them only continues to increase. The developers that typically build these APIs often lack cybersecurity expertise so it’s not uncommon for them to, for example, forget to turn encryption back on after they have updated an API, said Bird. These types of mistakes then make it relatively trivial for cybercriminals to exfiltrate massive amounts of data, he added.

Like it or not, it’s now only a matter of time before more cybersecurity teams assume more responsibility for securing APIs. The only issue that remains to be resolved is how the funding for those initiatives will be provided.