Today’s post for ‘Too Long; Did Read’, is a review of the 2022 API Security Trends Report, written by Dan Kennedy of the 451 Group/S&P for noname Security. Going forward I’ll add a couple more pieces of information to each post: Is it behind a registration page and how long of a read is it. Alex (@alexanderjaeger) suggested the first, because many of us won’t fill in the fields needed to get to a report behind a regwall. The second I’m adding because the amount of time needed to read a report often influences if it’s read or not. A 10-page report with one or two redeeming qualities can be easier to read than a 100-page report with buckets full of interesting stuff.

Overall Impression – For its target audience, this paper is one of the best I’ve read this year. It has significant analysis scatter throughout, it uses plots appropriately, and the colors are easy to read, for the most part. You have to keep in mind that this is an analyst’s report, so it’s based on survey data. I generally think of surveys as ‘soft data’ and do not hold this type of information in the same regard as data from logs, alerts, and other data taken directly from sensors. This is definitely a personal bias, but I’ve seen too many surveys done badly over the years.

The intended reader is anyone considering the future of APIs. This includes organizations creating the next wave of products, both engineers and marketing teams. CSO’s who want to know their peers experience with current technologies will get a lot out of the API Security Trends Report, as well as teams looking to better understand API protections before making a purchase. It is not for front-line blue/red teams or other security professionals who want deeply technical knowledge. Which is not what we should expect from most analyst reports in the first place. I give this report a solid A.

Reg Wall: Yes – https://nonamesecurity.com/api-security-trends-report

Length / Read time: At 17 pages, this report took me 45 minutes to read and take notes on. A casual read should take 15-30 minutes.

The Good – It may sound like faint praise, but this report knows who its audience is, caters to their needs simply and effectively, and does not get caught up in trying to be something else. But my praise isn’t faint; I’d say the majority of the reports in our industry suffer from too many cooks in the kitchen, none of them knowing what the final goal for the report is. In my opinion, being an analyst makes this much easier, because the job centers around knowing your audience and how to reach them.

Each section contains at least one piece of analysis that shows why specific findings are important. This is another issue that sounds like it should be a given, but far too many reports simply read the statistics and don’t tell you what they mean. None of the analysis is groundbreaking, but that is not the purpose of the report. Here’s just one example of a statistic being highlighted, and then the author telling us why the statistic matters.

The ability to inventory critical APIs ranked fourth (51%) in the list of concepts associated with API security, which might seem low in the collection of concerns because it is the first step in securing APIs. After all, one cannot provide security risk mitigation unless there’s an understanding of what’s being secured. However, its ranking may be due to the fact that users consider discovery a commodity or necessary feature of API security tools, and thus table stakes when deciding among API security providers.

Dan Kennedy, 2022 ApI Security Trends report

The choices of data visualizations are basic, simple, and exactly what is needed to highlight the data effectively. Bar charts, donut graphs, and horizontal stacked bar charts are the only types of visualizations used in the report. Every donut graph and horizontal stacked bar chart is limited to three data points, allowing them to be read at a glance. While I like seeing more complex visualizations, I’d rather see reports use the simple plots effectively.

In the first few pages of the report we receive a short list of the key findings, though the placement is deeper in the report than I like to see (page 4). Consider these as well-placed hooks to get you read further into the report in order to find out what they actually mean. The introduction sets the stage for the analysis, but you could easily skip it without decreasing the value you get from the report.

One of the things I greatly appreciate about this report is that every plot is accompanied by the questions asked in the survey and the sample size received. All too often we seen any form of a methodology section missing from reports. In my opinion, the way the questions are phrased to the respondents is almost as important as the responses. At best, badly done surveys miss their mark and skew the results. At worst, bad survey questions make any findings unusable or misleading. Yes, I’m looking at you, Pikachu and your Pokemon buddies.

The Bad – Most of the negatives I found in the report are minor and simply offer room for improvement for the next report. I love that Dan Kennedy is clearly being given credit for the report. But this shouldn’t be the first thing the reader sees. Credits belong at the end. Use the premium space at the beginning the report for the Key Findings or the main topics you want the reader to walk away with.

The color choices for the pie charts and stacked charts are questionable. I’m not sure if the difference between greens is distinct enough to be readable by a color blind audience. But to be fair, the plots are simple and each includes the percentages represented, making the report readable without relying on color as a method of conveying infermation.

Final thoughts – I’ve long thought that the controls most organizations have around APIs were largely non-existent or ineffective. The 2022 API Security Trends Report doesn’t say much about how widespread protections are, but it does make it clear many organizations are worried about the effectiveness of what they have in place today. I believe this report is worth reading if you are even slightly curious about the perception of API protections today.