New F5 Report Unveils Scary Truths About API Security in the AI Era
F5's 2024 State of Application Strategy Report: API Security reveals significant gaps in API protection, exposing enterprises to potential threats. Key findings include:
1. Less than 70% of customer-facing APIs use HTTPS, leaving nearly one-third unprotected.
2. Organizations manage an average of 421 different APIs, mostly in public cloud environments.
3. Current security practices focus on inbound traffic, leaving outbound API calls vulnerable.
4. API security responsibility is divided within organizations, potentially leading to coverage gaps.
5. Programmability is ranked as the most valuable API security capability.
The report emphasizes the need for comprehensive security solutions covering the entire API lifecycle to address these challenges in the AI era.
Il Rapporto sulla Strategia delle Applicazioni del 2024 di F5: Sicurezza delle API rivela significative lacune nella protezione delle API, esponendo le imprese a potenziali minacce. I risultati chiave includono:
1. Meno del 70% delle API rivolte ai clienti utilizza HTTPS, lasciando quasi un terzo non protetto.
2. Le organizzazioni gestiscono in media 421 API diverse, per lo più in ambienti cloud pubblici.
3. Le attuali pratiche di sicurezza si concentrano sul traffico in entrata, rendendo vulnerabili le chiamate API in uscita.
4. La responsabilità della sicurezza delle API è suddivisa all'interno delle organizzazioni, con il rischio di lacune nella copertura.
5. La programmabilità è considerata la capacità di sicurezza delle API più preziosa.
Il rapporto sottolinea la necessità di soluzioni di sicurezza complete che coprano l'intero ciclo di vita delle API per affrontare queste sfide nell'era dell'IA.
El Informe sobre el Estado de la Estrategia de Aplicaciones 2024 de F5: Seguridad de API revela importantes brechas en la protección de API, exponiendo a las empresas a posibles amenazas. Las principales conclusiones incluyen:
1. Menos del 70% de las API orientadas al cliente utilizan HTTPS, dejando casi un tercio sin protección.
2. Las organizaciones manejan un promedio de 421 API diferentes, principalmente en entornos de nube pública.
3. Las prácticas de seguridad actuales se centran en el tráfico entrante, dejando vulnerables las llamadas de API salientes.
4. La responsabilidad de la seguridad de las API está dividida dentro de las organizaciones, lo que puede provocar brechas en la cobertura.
5. La programabilidad se clasifica como la capacidad de seguridad de API más valiosa.
El informe enfatiza la necesidad de soluciones de seguridad integrales que cubran todo el ciclo de vida de la API para abordar estos desafíos en la era de la IA.
F5의 2024 애플리케이션 전략 보고서: API 보안에서는 API 보호에 있어 중요한 격차를 드러내며 기업들이 잠재적인 위협에 노출되고 있음을 나타냅니다. 주요 결과는 다음과 같습니다:
1. 고객 대상 API의 70% 미만이 HTTPS를 사용하여 거의 3분의 1이 보호받지 못하고 있습니다.
2. 조직들은 평균 421개의 다양한 API를 관리하며, 대부분 공공 클라우드 환경에서 운영됩니다.
3. 현재 보안 관행은 인바운드 트래픽에 초점을 맞추고 있어 아웃바운드 API 호출이 취약합니다.
4. API 보안 책임이 조직 내에서 분산되어 있어 보안 공백이 발생할 수 있습니다.
5. 프로그래머블리티는 가장 가치 있는 API 보안 기능으로 평가됩니다.
보고서는 이러한 문제를 해결하기 위해 API 수명 주기를 아우르는 포괄적인 보안 솔루션의 필요성을 강조합니다.
Le Rapport sur l'État de la Stratégie des Applications 2024 de F5 : Sécurité des API révèle d'importantes lacunes dans la protection des API, exposant les entreprises à des menaces potentielles. Les principales conclusions incluent :
1. Moins de 70 % des API orientées vers les clients utilisent HTTPS, laissant presque un tiers non protégé.
2. Les organisations gèrent en moyenne 421 API différentes, principalement dans des environnements de cloud public.
3. Les pratiques de sécurité actuelles se concentrent sur le trafic entrant, laissant vulnérables les appels d'API sortants.
4. La responsabilité de la sécurité des API est divisée au sein des organisations, ce qui peut potentiellement entraîner des lacunes de couverture.
5. La programmabilité est classée comme la capacité de sécurité des API la plus précieuse.
Le rapport souligne la nécessité de solutions de sécurité complètes couvrant tout le cycle de vie des API pour faire face à ces défis à l'ère de l'IA.
Der Bericht zum Stand der Anwendungsstrategie 2024 von F5: API-Sicherheit zeigt erhebliche Lücken im API-Schutz auf, die Unternehmen potenziellen Bedrohungen aussetzen. Die wichtigsten Ergebnisse umfassen:
1. Weniger als 70 % der kundenorientierten APIs verwenden HTTPS, wodurch fast ein Drittel ungeschützt bleibt.
2. Organisationen verwalten durchschnittlich 421 verschiedene APIs, hauptsächlich in öffentlichen Cloud-Umgebungen.
3. Aktuelle Sicherheitspraktiken konzentrieren sich auf eingehenden Datenverkehr, wodurch ausgehende API-Anfragen anfällig werden.
4. Die Verantwortung für die Sicherheit von APIs ist innerhalb der Organisationen verteilt, was potenziell zu Lücken in der Abdeckung führen kann.
5. Programmierbarkeit wird als die wertvollste Fähigkeit der API-Sicherheit eingestuft.
Der Bericht betont die Notwendigkeit umfassender Sicherheitslösungen, die den gesamten API-Lebenszyklus abdecken, um diese Herausforderungen im KI-Zeitalter zu bewältigen.
- F5 released a comprehensive report on API security, positioning itself as a thought leader in the field
- The report highlights the growing importance of API security, potentially driving demand for F5's security solutions
- Identification of programmability as the most valuable API security capability aligns with F5's strengths in this area
- The report may expose vulnerabilities in F5's own API security offerings if they don't fully address the identified gaps
- Fragmented responsibility for API security within organizations could complicate F5's sales and implementation processes
Insights
The findings from F5's report are deeply concerning for enterprise security. With only
The division of API security responsibilities between application security teams and API management platforms is a recipe for oversight and inconsistency. This fragmented approach could lead to critical vulnerabilities being missed or inadequately addressed. The high demand for programmable security solutions indicates a growing awareness of the need for real-time threat detection and response capabilities.
As APIs increasingly connect to AI services, the security paradigm must evolve to protect both inbound and outbound traffic. This shift is important as AI integration expands, potentially exposing organizations to new vectors of attack if left unaddressed. Organizations must prioritize comprehensive API security measures to mitigate risks in this rapidly evolving landscape.
The rapid proliferation of APIs, with an average of 421 per organization, underscores their critical role in digital transformation. However, the security lag is concerning. The fact that nearly
The shift towards public cloud environments for API hosting introduces additional complexity to security efforts. This trend, coupled with the emerging use of APIs to connect with AI services like OpenAI, signals a need for more sophisticated and adaptable security models. The high ranking of programmability as a valuable API security capability indicates a market demand for flexible, responsive security solutions.
Organizations must bridge the gap between their rapid API adoption and their security practices. Integrating API security throughout the development and operational lifecycle will be important for protecting digital assets and maintaining trust in an increasingly API-driven, AI-augmented digital ecosystem.
F5’s 2024 State of Application Strategy Report: API Security reveals gaps in API protection and urgent need for comprehensive security measures
The survey found that less than
“APIs are becoming the backbone of digital transformation efforts, connecting critical services and applications across organizations,” said Lori MacVittie, Distinguished Engineer at F5. “However, as our report indicates, many organizations are not keeping pace with the security requirements needed to protect these valuable assets, especially in the context of emerging AI-driven threats.”
Key Findings of the Report Include:
- Rapid growth and diverse environments: The average organization now manages 421 different APIs, with most hosted in public cloud environments. Despite this growth, a significant number of APIs—particularly those that are customer-facing—remain unprotected.
- Evolving API uses and security needs: As APIs increasingly connect to AI services like OpenAI, the security model must adapt to cover both inbound and outbound API traffic. Current practices largely focus on inbound traffic, leaving outbound API calls vulnerable.
-
Fragmented responsibility for API security: The report reveals a divided responsibility for API security within organizations, with
53% managing it under application security and31% through API management and integration platforms. This division can lead to gaps in coverage and inconsistent security practices. - High demand for programmable security solutions: Respondents ranked programmability as the most valuable API security capability, underscoring the need for real-time inspection and response to API traffic and threats.
Addressing the Gaps in API Security
To address these security gaps, the report recommends organizations adopt comprehensive security solutions that can cover the entire API lifecycle, from design through deployment. By integrating API security into both development and operational phases, organizations can better protect their digital assets against a growing array of threats.
“APIs are integral to the AI era, but they must be secured to ensure that AI and digital services can operate safely and effectively,” added MacVittie. “This report is a call to action for organizations to re-evaluate their API security strategies and take the necessary steps to protect their data and services.”
The full 2024 State of Application Strategy Report: API Security is available for download.
About this Report
The data presented in this report reflects the results of both the annual F5 State of Application Strategy survey and targeted follow-up research with additional API decision makers—more than two-thirds of them in C-level roles—for global organizations of all sizes and across industries, from technology, manufacturing, finance, and retail to organizations in healthcare and education.
About F5
F5 is a multicloud application security and delivery company committed to bringing a better digital world to life. F5 partners with the world’s largest, most advanced organizations to secure every app—on premises, in the cloud, or at the edge. F5 enables businesses to continuously stay ahead of threats while delivering exceptional, secure digital experiences for their customers. For more information, go to f5.com. (NASDAQ: FFIV)
You can also follow @F5 on X or visit us on LinkedIn and Facebook to learn about F5, its partners, and technologies.
F5 is a trademark, service mark, or tradename of F5, Inc., in the
SOURCE: F5, Inc.
View source version on businesswire.com: https://www.businesswire.com/news/home/20241001244711/en/
Jenna Becker
F5
(415) 857-2864
j.becker@f5.com
Holly Lancaster
WE Communications
(415) 547-7054
hluka@we-worldwide.com
Source: F5, Inc.
FAQ
What percentage of customer-facing APIs are secured using HTTPS according to F5's 2024 report?
How many different APIs does the average organization manage, as per F5's 2024 report?
What is the most valuable API security capability according to F5's 2024 report?