Many security professionals have a problem with API secrets management practices. In fact, 50% of security professionals have experienced an API-related breach, while the other 50% worry about having one. This statistic is important to acknowledge because it clearly illustrates how the need for strong API security is on everyone’s mind.
APIs are a popular (and ever-growing) target for threat actors as they are often over-exposed and under-protected. And even though security teams invest in better secrets hygiene and management, bad actors are still able to breach defensive strategies.
To gain a deeper understanding of the current state of API secrets management practices, Corsha surveyed over 400 security and engineering professionals to learn more about their API security practices and uncover how the evolving digital ecosystem presents enterprises with a new set of challenges. From this, we built The Corsha State of API Secrets Report, 2023, and share how “sound” secrets management doesn’t always mean “secure” secrets management.
What we discovered
Here’s what we discovered about the current state of secrets management from security teams.
86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets.
Engineering and security professionals spend a hefty amount of time on secrets management. This results in less focus on other activities that could impact the bottom line, like innovating new security protocols.
42% of respondents state that they manage up to 250 API tokens, keys, or certificates across their networks.
There are a lot of credentials to keep track of. Whether they’re in a database, hard-coded, or in a separate file, monitoring more than 200 different credentials is an immense challenge for security teams that are already pressed for time. This also reflects how API ecosystems are not only growing in size, but also in complexity.
53% of respondents have already experienced a data breach with unauthorized access to their networks or apps due to compromised API secrets.
The risk of data breaches associated with leaked API secrets is higher than ever. A compromised API token could be used to access systems, services, and sensitive data. Even tech giants like Twitter, Dropbox, and Uber were all targets of attacks that leaked or took advantage of tokens, keys, or certificates in 2021.
72% of respondents use a secrets manager; yet 56% are still concerned about a potential data breach due to their current secrets management practices.
According to our report, secrets managers are widely used to cope with the growing amount of API tokens, certificates, and keys. However, it seems even next-level secrets management practices are not enough to assure security teams, with 56% still reporting concerns about a potential data breach due to current secrets management practices. This indicates that the status quo is no longer enough: security teams need more effective API security tools at their disposal to dispel their fears and feel confident in the API ecosystems.
Stay secure in the world of API security
The API ecosystem will continue to grow more complex. And without any changes, so will the gap between current secrets management practices and the standard of security that APIs need.
To learn even more about why API authentication needs a new factor, read our full survey report The Corsha State of API Secrets Management Report, 2023, and gain key insights into the truth of API secrets management, including:
- What good secrets hygiene looks like
- Why it’s hard to keep track of who or what is using APIs
- Three signs that secrets aren’t cutting it
- Why “good” doesn’t always mean “safe” in API security
- The power of machine-to-machine (M2M) communications