Fireside Chat: A New Strategy for Reducing API Risk

Watch On-Demand

API Security Trends 2023

The Q1 2023 State of API Security report examines how companies are securing APIs, the challenges they face, and how their API security strategies are evolving.

Download the Report
Graph showing increase of unique attackers targetting customer APIs during 2022

API attacks are on the rise

Salt Labs has identified a significant rise in attackers targeting our customer base. The end of last year saw a major spike, with 4,845 attackers operating in December alone — a 400% increase from just a few months prior.

Bad actors are tenacious and are continuing to find new and unexpected ways to attack. In the past, organizations believed that proper authentication to interact with an API was enough of a deterrent to send attackers elsewhere. Salt Labs data shows that 78% of attacks come from seemingly legitimate users who have maliciously achieved the proper authentication.

API security has emerged as a significant business issue

Survey respondents told us that API security concerns have led to this very result far too frequently. An unfortunate 59% have experienced application rollout delays resulting from security issues identified in APIs. With these business delays and so many notable API security breaches making headlines, it’s no surprise that 48% of survey respondents say that API security has become a C-level discussion over the past year.

48% of organizations report API security has become a C-level discussion
41% of organizations had vulnerability problems in production APIs

The industry is experiencing significant API security challenges

API security problems are a real concern for survey respondents. 94% had some security issue with their production APIs over the past year, with vulnerabilities topping the list at 41%, followed closely by authentication problems at 40%. Of more concern, 31% had experienced a sensitive data exposure or privacy incident and 17% had experienced a security breach; such events have significant costs and reputational damage associated with them.

Get the latest API security survey and see how you compare

Download Report

The OWASP API Security Top 10 is a critical starting point

The OWASP API Security Top 10 list is an industry standard in the API space, but it’s a focus area for security programs at only 54% of respondents’ organizations. This low percentage is disheartening, since Salt customer data shows that 66% of all attack attempts leverage at least one of these 10 security vulnerabilities. Typically, bad actors use combinations of these 10 attacks to propagate more sophisticated attacks.

66% of attack attempts involved OWASP API Security TOP 10

“Zombie” APIs top the list of API security concerns

With significant API security issues happening so frequently, it stands to reason that respondents have real concerns about their API security programs. Outdated/zombie APIs top their concerns, with 54% indicating that it is of high concern. Given that respondents also identified significant documentation challenges in their organizations, it’s highly likely most environments are running APIs that are not documented. So, even though the lowest percentage (20%) cited shadow APIs as a top concern, the risk in this area is likely higher than many respondents realize.

Outdated/zombie APIs are the number one API security concern

Most API security strategies remain immature

With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy. Unfortunately, only 12% of respondents’ organizations have what they consider to be advanced API security strategies that include dedicated API testing and runtime protection. On the opposite side of the spectrum, 30% of respondents — all of whom have APIs running in production — admit they have no current API strategy.

Only 12% of organizations report having an advanced API development program
48% report existing security tools are only somewhat effective

Traditional approaches to API security are falling short

Survey respondents indicated that they primarily leverage traditional tools and processes to secure their APIs. They are primarily relying on API gateways (52%), log file analysis (51%), and WAF alerts (44%). However, they don’t believe these methods are particularly effective, with 77% of respondents saying their existing tools aren’t very effective in preventing API attacks.

Stopping attacks is the most highly valued API security attribute; shift left is lowest

API security is taking center stage for many organizations, but what exactly are they looking for? The capabilities that respondents identified as most valuable were the ability to identify which APIs expose PII or sensitive data (44%), stop attacks (44%), and meet compliance or regulatory requirements (38%). Respondents considered the ability to implement shift left API security practices as their lowest valued attribute, with only 22% citing it as highly important.

Organizations rate the value of security attributes of an API security platform

APIs are changing constantly and documentation is failing to keep up

Having a comprehensive view of your API attack surface is widely agreed to be the first step to protecting APIs. Unfortunately, respondents tell us that their confidence in a complete and accurate API inventory is low, with only 19% saying they feel very confident. Why? APIs are constantly changing, making them nearly impossible to document well. In fact, 37% of organizations update their APIs at least weekly.

28% report primary APIs are updated weekly
50% rely on developer documentation to know which APIs expose sensitive data, 25% do not know

Security teams have a difficult time understanding which APIs expose PII

Respondents are less than confident in their ability to recognize what sensitive or personal identifiable information (PII) is exposed within their APIs. Only 18% say they are very confident that their API inventories provide enough detail about their APIs and the sensitive data within. On the other hand, 30% admit that they lack confidence in this area.

Download the full report

Get an in-depth analysis on the concerns, risks, and trends around API security

Download Now
Before you go...

Get the latest API Security Trends in 2022

Download the Report
Close

Learn what “good” looks like in an API security platform

Learn everything you need to know to keep your APIs secure

Get the guide
Close
Back