Arval Technologies

API Security: from Defense-in-Depth (DiD) to Zero Trust

Zero Trust security model is gaining momentum as organizations plan to implement it to mitigate growing cyber risk.

With its principle of user and device verification before granting conditional access based on least privilege, Zero Trust holds the promise of significantly enhanced usability, data protection, and governance.

API Defense-in-Depth is a multi-layered defense that provides different types of protection: boundary defense, observability, and authentication; in this scenario, ARVAL helps companies in this adoption process each time it validates the request origin and establishes if it belongs to your application or not.

Based on stats:

  • Only a few companies have an API security policy with dedicated API testing and protection.
  • Non-authenticated endpoints are the most vulnerable/
  • To improve efficiency in security management, one can change from “finding bad people” to “identifying good people” by utilizing the allowlisting approach.
  • Zero Trust is the next level for API security, though it is not a silver bullet.

According to Salt Security’s 2022 API Security Survey:

  • 95% of the more than 250 survey respondents said they’ve experienced an API security incident in the past 12 months
  • Only 11% of respondents have an API security strategy that includes dedicated API testing and protection, and 34% lack any security strategy at all for APIs
  • Shift-left tactics are falling short, with more than 50% of respondents saying developers, DevOps, or DevSecOps teams are responsible for API security, while 85% acknowledge that their existing tools are not very effective in stopping API attacks.
  • When asked about their biggest concern about their company’s API program, 40% of respondents highlighted gaps in security as their top worry.
  • 94% of API exploits are happening against authenticated APIs, according to Salt customer data
  • Stopping attacks top the list of most valuable attributes of an API security platform
  • 40% of respondents are grappling with APIs that change at least every week, with 9% saying their APIs change daily

Arval gives companies the benefit of receiving fresh, unique, third-party validation request