Across our customer base over the past 6 months, the Salt SaaS platform data shows that overall API traffic increased 141% while malicious traffic grew 348%. Looking at our customer data in more detail, we see our customers were experiencing an average of 12.22 million attack calls per month by June 2021. Note that our customers all have WAFs and API gateways deployed, so these API attacks got past those traditional security controls. Such findings are consistent with broader industry research showing APIs as the dominant application attack vector.
Nearly two-thirds of respondents (64%) admitted they have delayed application rollouts because of API security concerns. Organizations rely on APIs for a broad range of critical business initiatives, and this finding alone should make API security a key priority in any application-driven organization. Without the confidence to deploy new API-based applications -- and iterate on existing ones -- at the pace the business demands, organizations risk ceding ground to the competition and sacrificing customer loyalty.
46% of respondents cite security concerns as their top worry when it comes to APIs. Worries over a lack of pre-production security was the top response (26%), followed closely by concerns about the program not adequately addressing runtime security (20%). One easy step an organization could take to bolster the security aspect of its API program would be to use the OWASP API Security Top 10 list to teach and align development, DevOps, and security staff about the nature of API attacks.
We commonly hear the refrain “developers write APIs, so they should be responsible for securing APIs.” This perspective is reflected in the survey with a collective 52% of respondents puting responsibility for API security on the API team, developers, and DevOps. In practice, not all API security problems can be tested for and identified in code prior to runtime. The reality that 94% of respondents experienced an API security incident in the past 12 months, and 100% of Salt customers experience multiple attacks every month, reinforces the critical shortcomings in overemphasizing the “shift left” approach to API security.
Nearly half of respondents are trying to identify API attackers via their WAF or API gateway, an approach that is proving woefully inadequate, given that 94% of respondents experienced an API security incident in the past 12 months. WAFs and API gateways lack the ability to build context or correlate activity over time, so they cannot detect API attacks. Tools such as API gateways depend on authentication and authorization for security – however, Salt customer data shows that 95% of API exploits happened against authenticated APIs.
More than a quarter of organizations running production APIs (26%) have not implemented an API security strategy, and 36% have just a basic security strategy to protect their APIs. Only 11% consider their API security strategy to be advanced, with dedicated API testing and API protection in place. Because APIs provide the path directly to a company’s crown jewels, attackers are targeting them at ever higher rates. To combat this risk, API-driven organizations should be prioritizing the crafting of a robust API security strategy.
Survey responses show that users expect a lot of functionality out of API security platforms. The ability to stop attacks led the list, with 55% of respondents rating it highly important, and the ability to identify which APIs expose PII or other sensitive data came in a close second, at 52%. This result should come as no surprise as organizations increasingly worry about data loss and privacy impacts from data exposed via APIs.
You can’t control what you can’t see, and 85% of respondents lack confidence that their API inventory is complete. 17% have absolutely no confidence in or knowledge about the completeness of their API inventory. One contributing factor is the frequency of API changes – the report shows a third of respondents are updating their APIs weekly or daily. Automation is essential for API discovery – both to keep pace with developer changes and to catch the APIs that developers release outside mediation or gateway platforms.
40% of respondents cite outdated or “zombie” APIs as their top concern, nearly triple the number of the next biggest area of concern, account takeover. Frequent updates to applications is the biggest culprit in generating these zombie APIs – one consequence of frequent application and API updates is that older APIs persist when they should have been deprecated, which can result in unrealized risk and unknown data exposure.