Open API Survey Report

By the Open API CSA Working Group

Cloud Security Alliance completed its first-ever Open API Survey Report, in an effort to see exactly where the industry stood on the knowledge surrounding Open APIs as well as how business professionals and consumers were utilizing them day to day. The key traits taken from the survey will be noted within this blog post to give the reader an idea of our current state of Open API knowledge and function. Moving forward, source code for security and open platforms has become increasingly shareable. As source code becomes more shareable between companies, it is giving way to new and robust manners which can be leveraged to improve upon what we already know. 

The survey was meant to be used as a means to see:

  • What the outlook and future of Open API’s are
  • The gaps we can notice from people actually using them
  • How they can become more useful for better security posture and development 
  • How Open APIs can be used for emerging technologies. 

Interoperability is key within this survey. Businesses like the idea of using Open-API’s because of their ability to work with systems already in place, and the ability to edit them to specific needs of a business. However, with this comes a lack of common education on where to go for implementing them, or how their security functions work internally from the original source. 

Unfolding within this survey, however, was one thing that stood out the most among all of the questions and answers. Was anyone aware of best practices guide concerning Open APIs? The number was quite staggering, with 84% saying no. This immediately raises a red flag. The one thing we are using the most within development lifecycles and to build new products, doesn’t have a well-known guidance supporting its usage and implementation into business models. 

As we move towards a future of open banking and other items that will be played at the hand of Open APIs, it is noticed that 44.74% of respondents to this survey have already implemented some form of an Open API. 

The Open API platforms businesses are currently using or planning to use in the future were Key management/organization with 28%, and Open API Universal banking (PSD2) coming in a very close second. With the growth of online banking, however, this number for Universal Banking is more than likely going to grow the most in the coming years compared to other areas of specific interest. 

Building off of this question, we next asked if SaaS apps have proper security guarding them. 57% of the responses answered No. Of those 57% who answered No, 40% answered that they already have implemented Open API within their own workspace. Being already familiar with the existence of an Open API, we can confidently assume that security posture with SaaS apps are lacking security features. Because of the free availability of these programs, this can be looked at as no single guideline for secure functions being implemented through each use of a specific API. Lack of guideline and security input from development teams is a vital part of this missing function. 

A staggering 94% responded “Yes” that security vendors should, in fact, be maintaining the Open-API’s for SaaS vendors in an effort to push real-time updates. Half of that group is within the category of also already having a strong implementation of currently used open- API’s, which also has suggested that the biggest benefit to their organization is interoperability. 

Something to note from this data set specifically, is that of all of the “yes” answers above are presently split down the middle that the future of Open API’s in speaking to security will lie more dominantly in the IoT devices and B2C/AI categories. 

According to the study:

  • 71% – Lack of knowledge on how to get started with Open API framework
  • 89% – Not enough information on securing Open API’s
  • 73% – Not enough information on how to implement Open API’s or where to look for a checklist for security posture. 

These all flow together to form a larger picture –> “How do we do this and where do we go?” A lack of guidance and policy surrounding these items is creating confusion beyond just implementing different open API’s. 

We had our respondents rate the best to the worst for organizations to implement security across SaaS vendors which included forward and reverse proxies, webhook integration, and other. As you can see from the image above, forward and reverse proxy scored 22% within the category as being the worst choice (1). Looking at the rows from 1 to 5, webhooks framework yielded the highest positive average ratio for the best choice for implementing security across SaaS vendors. 

It is important to note that webhook integration was the strongest choice for security posture and integration into a business environment. Though there were only 13% saying that they strongly agree, 52% were able to agree that a webhook integration is critical to the expansion of an existing framework. Of that group of 52%, more than 60% of their organizations either are working with universal banking initiatives or key management. 

There is much left to be developed within the realm of securing Open APIs and giving the reigns to who should actually be responsible for such a job. With Universal Banking becoming dominant internationally and moving into North America, the focus needs to shift to the idea of an interoperable and flexible framework that can give enterprises a knowledge base for building their programming architecture outwards. 

Interested in learning more about Open APIs? Visit the working group page here.

The State of SDP Survey: A Summary

The CSA recently completed its first annual “State of Software-Defined Perimeter” Survey, gauging market awareness and adoption of this modern security architecture – summarized in this infographic.

The survey indicates it is still early for SDP market adoption and awareness, with only 24% of respondents claiming that they are very familiar or have fairly in-depth knowledge of SDP. The majority of respondents are less knowledgeable, with 29% being “somewhat” conversant in SDP, 35% having heard of it, and 11% knowing nothing about it.

A majority of organizations recognize the need to change their approach to a Zero Trust Architecture– 70% of respondents noted that they have a high or medium need to change their approach to user access control by better securing user authentication and authorization.

Survey respondents noted that the largest barrier to SDP adoption is existing in-place security technologies, closely followed by organizational lack of awareness and budgetary constraints. This is consistent with SDP’s early adopter market status, and its unique role as an integrated security architecture that enhances and, in some cases, eliminates the use of traditional security tools and technologies. Lack of awareness and perceived budgetary constraints point to a need for the CSA to educate the market on SDP’s security benefits and provide additional research to organizations about the cost benefit of SDP’s ability to provide preventive security compared with cyber breach detection after the fact.           

Respondents clearly understand that SDP functionally overlaps with VPN and NAC solutions, and also understand that SDP will benefit in-place systems such as IAM and SIEM. Organizations also see the benefits that SDP provides, with a majority indicating they could realize an improved security posture (63%) and a reduced attack surface (52%). A strong minority also see the benefits of reduce costs (48%) and improved compliance (44%).

In terms of adoption, a majority of organizations see themselves using SDP as a VPN replacement (64%) or a NAC alternative (55%) – both of which are common first projects for SDP.      

Based on this initial survey, we’re pleased to see this level of awareness, and optimistic that the concept of Zero Trust can be achieved by implementing SDP. Clearly, organizations are just beginning the transition from traditional security technologies to SDP and are looking for guidance. The CSA is addressing this demand with SDP resources and information – in fact, a majority of survey respondents requested additional technical documents, marketing resources, and webcasts. The SDP Working Group has recently published the SDP Architecture Guide research document, and other resources such as version 2.0 of the SDP specification, and additional guidance noted in the architecture document will follow.      

SDP is clearly a very important security development, providing an updated approach to current measures that fail to address the inherent vulnerabilities in the network and application connectivity protocols of the past. If you’d like to download the above infographic as a pdf, you can find it here: https://cloudsecurityalliance.org/artifacts/sdp-awareness-and-adoption-infographic

We’d like to thank the following individuals from the SDP leadership team for their work in creating this report and accompanying blog post:

  • Juanita Koilpillai
  • Nya Murray
  • Jason Garbis
  • Junaid Islam