Salt customer data shows the average number of APIs per customer grew 82% over last year, up from 89 in July 2021 to more than 162 in July 2022. During the same period, overall API traffic per customer grew 168%, indicating that API usage is also exploding.
Attack activity continues to keep pace with this dramatic API usage growth and now accounts for 2.1% of overall API traffic for Salt customers. Malicious API attack traffic surged 117% over the past year, from an average of 12.22M malicious calls per month to an average of 26.46M calls.
Not surprisingly, increased API usage and traffic have resulted in more attacks. Salt customer data reveals that 34% of customer accounts have experienced more than 100 attempted attacks per month. And 15% have experienced 500 or more attempted attacks per month, up from 11% a year ago.
A resounding 94% of survey respondents reported they have experienced API security problems in production APIs. Nearly half (47%) indicate that they have identified vulnerabilities in production APIs, 38% have experienced authentication problems, and 31% have seen sensitive data exposure and privacy incidents. Vulnerabilities in production have markedly increased by 8% over the past six months. And most frightening, nearly 20% of respondents say their organizations have experienced a breach resulting from insecure APIs.
Companies rely on their APIs to build the applications that drive innovation and produce revenue, so there is no room for deployment delays. Unfortunately, 54% of respondents indicate that they have had to slow the rollout of a new application because of an API security concern.
The ability to stop attacks was rated the most critical attribute by the most respondents (41%), compared to only 22% who rated shift-left capabilities a top need. The ability to identify which APIs are exposing PII or sensitive data was second highest, with 40% of respondents ranking that capability as “highly important.” These two areas – runtime protection and exposed sensitive data – represent the greatest sources of immediate risk for organizations.
Nearly a third of respondents admit they have experienced sensitive data exposure or a privacy incident within their production APIs over the past year, a sharp increase over last year’s 19%. 91% of Salt customers’ APIs expose some PII or sensitive data, so it’s imperative to know where and how that sensitive data is transmitted and to protect those APIs with extra diligence.
As organizations continue to mature their API programs, it’s no surprise that security-related considerations top their list of concerns. Not investing enough in pre-production security (20%) and not adequately addressing runtime security (18%) were the top API concerns noted by respondents. Also high on the list is a lack of focus on requirements and documentation (19%), which is paramount for those tasked with maintaining secure APIs.
When asked about the most concerning API security risks, 42% of respondents said that their biggest worry is outdated or “zombie” APIs, nearly triple the rate of any other concern. Zombie APIs have been consistently rated the #1 concern for the past four surveys, likely a direct result of the increasingly fast pace of development as companies seek to maximize the business value associated with APIs. As organizations build new APIs, they often fail to deprecate previous versions, leaving them vulnerable since nobody is patching or documenting these out-of-date APIs.
Beyond just a growing quantity, securing and maintaining APIs is further complicated by the fast pace of updates. One year ago, only 6% of survey respondents indicated that they update their APIs daily. Today, that number has increased to 11%. An additional 31% update their APIs weekly, while only 10% update them less frequently than every few months.
With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy. Unfortunately, only 9% of respondents can confidently state that they have an advanced API security strategy that includes dedicated API testing and protection. 61% admit that they lack any API security strategy or have only basic protections (risk assessment, network scanning, manual reviews).