Group Purchasing
Group Purchasing

SANS 2024 Application Security & API Survey: Protecting our Applications and APIs

SANS 2024 Application Security & API Survey: Protecting our Applications and APIs (PDF, 1.29MB)Published: 05 Jun, 2024
Created by:
Matt BromileyDavid Hazar
Matt Bromiley & David Hazar

The SANS Application and API Security Survey 2024, published by SANS Institute in June 2024, measured which application security testing techniques deliver the most value across different application and API architectures. Written by David Hazar and Matt Bromiley, the survey drew on responses from security and development professionals at organizations that develop and support applications or APIs, concentrated in the security, technology, application development, and finance sectors.

Key findings:

  • Manual penetration testing scored highest in value for REST APIs (14.6%), native mobile applications (10.4%), and single-page web applications (8.9%), despite being the most expensive and time-consuming testing method
  • Dynamic Application Security Testing (DAST) ranked as the most valuable testing technique for traditional form-based web applications (13.0%) and is the most effective automated tool for API testing
  • Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are the two testing techniques most easily accepted by development teams and the business, ranking as "easier to accept" on a 0–8 acceptance scale
  • Traditional form-based web applications still make up 60% of supported application types, with REST APIs close behind at 56% and single-page web applications at 48%
  • Even less common formats remain significant: SOAP APIs (29%) and GraphQL APIs (20%) are both well represented among organizations' application portfolios
  • 35% of organizations consider more than half of their applications or APIs to be microservices, while only 11% report less than 10%
  • 54% of organizations have implemented runtime security protection (such as RASP) for at least one of their applications, and 53% have done so for at least one API
  • 53% have implemented just-in-time authentication and authorization controls for at least one application or API
  • Bug bounty programs, red teaming, and threat modeling ranked at the bottom of both value scores and ease of developer acceptance across nearly every application type
  • Containers are more widely used than serverless functions for running APIs, though not by a dramatic margin

The survey's core insight is that no single testing method covers every application type or vulnerability class. Manual penetration testing consistently outperforms automated tools because human testers understand intended application logic well enough to find business-logic and access-control flaws that scanners miss, while SAST, DAST, and SCA earn their place through ease of integration and lower cost rather than raw detection value. The recommended approach is to layer methods across the application lifecycle rather than rely on any one technique. Respondents were security administrators/analysts, security architects, product security professionals, and application developers, drawn from organizations of varying sizes, with roughly 80% confirming their organization develops and supports applications or APIs. Headquarters were concentrated in the United States and Europe, though more than 20% of respondent organizations had operations across nearly every global region.

FAQ

Meet the experts