API Security Evaluation Guide

Read the guide

API Security Trends

We examine how companies of all sizes and industries are securing APIs, the challenges they face,  and how their API security strategies are evolving.

Download the Report
API security concerns chart

API security concerns are inhibiting business innovation

A full 66% of respondents have delayed the deployment of a new application because of API security concerns. When businesses cannot meet the demands of continuous application delivery, they hamper their digital transformation and DevOps initiatives and they cede ground to their competition.

Nearly all respondents experienced an API security incident last year

Asked about security incidents, 91% of respondents shared they had suffered a security incident in their production APIs last year. Vulnerabilities (54%) and authentication issues (46%) topped the list, followed by bot/scraping (20%) and denial of service attacks (19%). These vulnerabilities remain until an attacker discovers and exploits them, which can result in data exfiltration, account misuse, or service downtime. Nearly half experienced authentication problems as well.

API security incidents chart

WAFs and API gateways cannot stop API attacks

100% of Salt Security customers have WAFs and API gateways, and 100% of Salt Security customers have API attacks that get past those tools. Given that 96% of API exploits happen against authenticated APIs, clearly security techniques common in WAFs and API gateways (access control, TLS, rate limiting, and IP allow/block lists for example) are insufficient. The challenge is that the dominant approaches of WAFs and API gateways miss 90% of the threats highlighted in the OWASP API Security Top 10 list of threats.

See why WAFs and API Gateways miss 90% of API Attacks

Download Report

API traffic is growing, but malicious API traffic is growing faster

Salt customers’ average monthly call volume increased over the past 12 months, from 272 million calls per month at the start of 2020 to 410 million at the end of the year, an increase of 51%. In the same time period, malicious traffic grew 211%. Note that our customers all have WAFs and API gateways deployed, so this malicious traffic got past those traditional security controls. Such findings are consistent with broader industry research showing APIs as the dominant application attack vector.

Organizations running production APIs lack an API security strategy

Gartner predicts, “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” Yet more than a quarter of organizations running production APIs – 27% – having no API security strategy at all.

82% of organizations lack confidence in knowing which APIs expose PII

Nearly a quarter of organizations admit they have no way to know which APIs expose PII and other sensitive data – a direct result of an incomplete API inventory and inaccurate documentation. Almost half are only “somewhat confident” they know about these data exposures. Since the majority of organizations depend on developer-created documentation and/or API gateways to understand PII exposure, and confidence is this low, these approaches are incomplete and lack the details needed to keep sensitive data safe.

Pre-production API security tactics are not adequately protecting APIs

“Shift left” is a major and worthwhile goal for application security and DevSecOps initiatives. Improving secure development practices, scanning, and thorough testing can help improve the security of APIs. With only 46% of respondents applying runtime protection and 90% of respondents experiencing a security incident in production APIs, this overreliance on pre-production security tactics is leaving organizations vulnerable.

Download the full report

Get an in-depth analysis on the concerns, risks, and trends around API security

Download Now