The Salt customer base experienced a dramatic increase in API attack traffic in the past year. Data from the Salt SaaS platform shows that overall API traffic increased 321% but malicious traffic grew 681%. Malicious API calls rose from a monthly per-customer average of 2.73 million in December of 2020 to 21.32 million in December of 2021. Since all our customers have WAFs, and nearly all have API gateways, these API attacks are getting past those security controls. The year 2021 proved that APIs are the dominant application attack vector.
Nearly two-thirds of respondents (62%) admitted they have delayed application rollouts because of API security concerns. Another 13% are unsure if such concerns have caused this kind of disruption. Organizations rely on APIs to increase efficiencies, enable integrations, and support digital transformation, and these crucial projects are being slowed as a result of API security worries. Without the confidence to deploy new API-based applications -- and iterate on existing ones -- at the pace the business demands, organizations risk ceding ground to the competition and sacrificing customer loyalty.
The number of Salt customers experiencing 100 or more API attacks per month rose from 30% six months ago to 40% at the end of 2021. Customers are grappling with a frequently changing API landscape as well, making it harder to stay ahead of the bad actors.
Survey respondents has endured a variety of API security incidents, but only 5% say they haven’t suffered any kind of incident. Vulnerabilities top the list, and authentication problems take the second spot, but even these seemingly mild incidents can prove highly damaging to a company’s reputation, as the Experian and Coinbase incidents show.
More than a third of survey respondents admitted they have no API security strategy in place. Only 11% have a strategy that includes dedicated API testing and protection. The intermediate approaches, with app sec testing, gateways, or manual reviews, continue to leave companies exposed. Given that APIs have emerged as the number one application threat vector, organizations must take seriously the need to develop a robust protection plan for these vital business assets.
Across a range of potential concerns, 40% of survey respondents highlighted security concerns as their top worry about their company’s API program. Nearly a quarter, 22%, cited worries over insufficient investment in pre-production security, and another 18% noted their programs don’t adequately address runtime security.
The vast majority of respondents have WAFs and API gateways in place, but 85% say their existing tools are not very effective in preventing API attacks. The news headlines show bad actors are getting more creative in their API attacks, and these legacy platforms, while helpful at providing the protections they were built to enable, are not up the job of defending against today’s API attacks.
Nearly half (43%) of respondents focused on “zombie” APIs as their top API security concern, dwarfing the number of respondents who are most concerned about account takeover/misuse (22%). These outdated APIs present significant risk, since most organizations assume they’ve been decommissioned already and they’re not getting any additional security testing or enhancements.
Most organizations recognize that API documentation is nearly always incomplete and out of date. A healthy percentage (55%) are “somewhat confident” in the completeness of their API inventory, but even one “shadow” or unknown API, can leave an organization exposed to significant risk. With 40% of respondents noting their APIs are changing at least every week, hoping that developer documentation will remain accurate is a fallacy.
40% of respondents cite outdated or “zombie” APIs as their top concern, nearly triple the number of the next biggest area of concern, account takeover. Frequent updates to applications is the biggest culprit in generating these zombie APIs – one consequence of frequent application and API updates is that older APIs persist when they should have been deprecated, which can result in unrealized risk and unknown data exposure.