State of API Security Report 2022

Read the Report

API Security Trends

Our industry-leading research examines how companies are securing APIs, the challenges they face, and how their API security strategies are evolving.

Download the Report
API security concerns chart

API attacks rose 681% in the past 12 months, compared to a 321% increase in overall API traffic 

The Salt customer base experienced a dramatic increase in API attack traffic in the past year. Data from the Salt SaaS platform shows that overall API traffic increased 321% but malicious traffic grew 681%. Malicious API calls rose from a monthly per-customer average of 2.73 million in December of 2020 to 21.32 million in December of 2021. Since all our customers have WAFs, and nearly all have API gateways, these API attacks are getting past those security controls. The year 2021 proved that APIs are the dominant application attack vector. 

API security concerns are inhibiting business innovation 

Nearly two-thirds of respondents (62%) admitted they have delayed application rollouts because of API security concerns. Another 13% are unsure if such concerns have caused this kind of disruption. Organizations rely on APIs to increase efficiencies, enable integrations, and support digital transformation, and these crucial projects are being slowed as a result of API security worries. Without the confidence to deploy new API-based applications -- and iterate on existing ones -- at the pace the business demands, organizations risk ceding ground to the competition and sacrificing customer loyalty. 

API security incidents chart

40% of Salt customers are suffering more than 100 attacks each month 

The number of Salt customers experiencing 100 or more API attacks per month rose from 30% six months ago to 40% at the end of 2021. Customers are grappling with a frequently changing API landscape as well, making it harder to stay ahead of the bad actors. 

95% of respondents suffered an API security incident in the last 12 months 

Survey respondents has endured a variety of API security incidents, but only 5% say they haven’t suffered any kind of incident. Vulnerabilities top the list, and authentication problems take the second spot, but even these seemingly mild incidents can prove highly damaging to a company’s reputation, as the Experian and Coinbase incidents show. 

34% of respondents lack any kind of API security strategy, despite running APIs in production 

More than a third of survey respondents admitted they have no API security strategy in place. Only 11% have a strategy that includes dedicated API testing and protection. The intermediate approaches, with app sec testing, gateways, or manual reviews, continue to leave companies exposed. Given that APIs have emerged as the number one application threat vector, organizations must take seriously the need to develop a robust protection plan for these vital business assets. 

See why WAFs and API Gateways miss 90% of API Attacks

Download Report

Security concerns top the list of API program worries

Across a range of potential concerns, 40% of survey respondents highlighted security concerns as their top worry about their company’s API program. Nearly a quarter, 22%, cited worries over insufficient investment in pre-production security, and another 18% noted their programs don’t adequately address runtime security. 

WAFs and gateways provide insufficient protection 

The vast majority of respondents have WAFs and API gateways in place, but 85% say their existing tools are not very effective in preventing API attacks. The news headlines show bad actors are getting more creative in their API attacks, and these legacy platforms, while helpful at providing the protections they were built to enable, are not up the job of defending against today’s API attacks. 

Identifying outdated or “zombie” APIs is the greatest concern in API security

Nearly half (43%) of respondents focused on “zombie” APIs as their top API security concern, dwarfing the number of respondents who are most concerned about account takeover/misuse (22%). These outdated APIs present significant risk, since most organizations assume they’ve been decommissioned already and they’re not getting any additional security testing or enhancements.

83% of respondents are not very confident that their API inventory is complete 

Most organizations recognize that API documentation is nearly always incomplete and out of date. A healthy percentage (55%) are “somewhat confident” in the completeness of their API inventory, but even one “shadow” or unknown API, can leave an organization exposed to significant risk. With 40% of respondents noting their APIs are changing at least every week, hoping that developer documentation will remain accurate is a fallacy.

Stopping API attacks remains the most valued attribute of an API security platform 

40% of respondents cite outdated or “zombie” APIs as their top concern, nearly triple the number of the next biggest area of concern, account takeover. Frequent updates to applications is the biggest culprit in generating these zombie APIs – one consequence of frequent application and API updates is that older APIs persist when they should have been deprecated, which can result in unrealized risk and unknown data exposure.

Download the full report

Get an in-depth analysis on the concerns, risks, and trends around API security

Download Now
Before you go...

Get the latest API Security Trends in 2022

Download the Report