The 2024 State of API Security report examines how companies are securing APIs, the challenges they face, and how their API security strategies are evolving.
Download the Report
API security incidents have more than doubled in the past year due to the rapid increase in API usage, creating a vast and expanding attack surface for malicious actors to exploit.
Salt Labs has found that these attackers are able to bypass authentication protocols, with 61% of attackers being unauthenticated, which shows that these bad actors are using a diverse range of tactics to get the information they want — proving the need for a more complex protection strategy.
The survey revealed that C-level executives increasingly recognize the importance of API security, with 46% of respondents reporting that it has become a topic of executive discussion. This highlights the growing awareness of the business risks involved in API security.
With 55% of respondents experiencing delays in application rollout due to security issues with their APIs, we’re able to see the real-world impact of inadequate API security — including delayed innovation, frustrated customers, and lost revenue.
To highlight the need for improved security measures, 95% of respondents are struggling to contain incidents relating to their APIs, and 23% of organizations have experienced a breach — which means that their sensitive data and critical systems have been compromised.
In our ever-increasing threat landscape, it is essential for organizations to prioritize specialized API security measures to safeguard their sensitive data and ensure business continuity. By doing so, they can mitigate the risk of breaches, protect their reputation, and maintain a competitive edge.
The OWASP API Security Top 10 is a crucial resource for professionals working in API security, and it highlights the most common and high-risk vulnerabilities that attackers exploit. A large percentage of API attacks target these well-known weaknesses. 80% of attack attempts leverage one of more of OWASP API Top 10 methods, but only about 58% of respondents focus on this industry list.
To effectively mitigate risks throughout an API's lifecycle, organizations need to adopt an API posture governance strategy, which would provide a structured framework for managing and securing the entire API ecosystem — from design and development to deployment and ongoing maintenance. Our survey revealed that only 10% of organizations currently have an API posture governance strategy in place.
The rapid increase of APIs and evolving threat landscape reveals an ever-growing amount of API security-related issues. Our survey reveals that zombie APIs remain a top concern amongst respondents, as attackers can exploit vulnerabilities in zombie APIs to gain unauthorized access to sensitive data, disrupt operations, or carry out further attacks within a network. The survey also found that 46% of respondents consider account takeover/misuse a top concern, highlighting the growing threat of unauthorized access to user accounts through compromised API credentials.
An alarmingly low number (7.5%) of organizations consider their API security programs advanced, leaving the vast majority with significant room for improvement. Traditional methods are insufficient against modern API threats, highlighting the urgent need for organizations to enhance their API security to prevent breaches.
In today's fast-paced digital world, APIs are constantly changing, making them difficult to document well. An issue that arises with this constant flux is that outdated documentation and poor visibility into your API landscape can leave you exposed to security risks. The survey revealed that 38% of all organizations update their APIs at least weekly, while 12.5% make daily updates.
Only 12% of respondents feel very confident in the accuracy of their API inventory, highlighting a widespread lack of trust in their security posture. This lack of confidence is justified, given that nearly a third of respondents (29%) don't feel confident at all in the accuracy of their documentation.
Only 14.6% of respondents are highly confidence in their ability to identify which APIs expose Personally Identifiable Information (PII) data. The survey found that around 60% of organizations are only somewhat confident in their understanding of PII exposure through APIs, while 25% are unsure or lack confidence altogether. This presents a serious challenge for organizations, leaving them vulnerable to security incidents involving the exposure of sensitive data.
Get an in-depth analysis on the concerns, risks, and trends around API security.
Download Report