API Security for Dummies

Read the eBook

API Security Trends

Our industry-leading research examines how companies are securing APIs, the challenges they face, and how their API security strategies are evolving.

Download the Report
API security concerns chart

API attacks are increasing at an alarming rate - up 348% in six months

Across our customer base over the past 6 months, the Salt SaaS platform data shows that overall API traffic increased 141% while malicious traffic grew 348%. Looking at our customer data in more detail, we see our customers were experiencing an average of 12.22 million attack calls per month by June 2021. Note that our customers all have WAFs and API gateways deployed, so these API attacks got past those traditional security controls. Such findings are consistent with broader industry research showing APIs as the dominant application attack vector.

API security concerns continue to inhibit critical areas of business innovation

Nearly two-thirds of respondents (64%) admitted they have delayed application rollouts because of API security concerns. Organizations rely on APIs for a broad range of critical business initiatives, and this finding alone should make API security a key priority in any application-driven organization. Without the confidence to deploy new API-based applications -- and iterate on existing ones -- at the pace the business demands, organizations risk ceding ground to the competition and sacrificing  customer loyalty.

API security incidents chart

Security remains the leading concern in API programs

46% of respondents cite security concerns as their top worry when it comes to APIs. Worries over a lack of pre-production security was the top response (26%), followed closely by concerns about the program not adequately addressing runtime security (20%). One easy step an organization could take to bolster the security aspect of its API program would be to use the OWASP API Security Top 10 list to teach and align development, DevOps, and security staff about the nature of API attacks.

Viewing API security as a “shift left” problem is failing

We commonly hear the refrain “developers write APIs, so they should be responsible for securing APIs.” This perspective is reflected in the survey with a collective 52% of respondents puting responsibility for API security on the API team, developers, and DevOps. In practice, not all API security problems can be tested for and identified in code prior to runtime. The reality that 94% of respondents experienced an API security incident in the past 12 months, and 100% of Salt customers experience multiple attacks every month, reinforces the critical shortcomings in overemphasizing the “shift left” approach to API security.

WAFs and API Gateways miss the API attackers

Nearly half of respondents are trying to identify API attackers via their WAF or API gateway, an approach that is proving woefully inadequate, given that 94% of respondents experienced an API security incident in the past 12 months. WAFs and API gateways lack the ability to build context or correlate activity over time, so they cannot detect API attacks. Tools such as API gateways depend on authentication and authorization for security – however, Salt customer data shows that 95% of API exploits happened against authenticated APIs.

See why WAFs and API Gateways miss 90% of API Attacks

Download Report

The majority of organizations have no or just a basic strategy for API security

More than a quarter of organizations running production APIs (26%) have not implemented an API security strategy, and 36% have just a basic security strategy to protect their APIs. Only 11% consider their API security strategy to be advanced, with dedicated API testing and API protection in place. Because APIs provide the path directly to a company’s crown jewels, attackers are targeting them at ever higher rates. To combat this risk, API-driven organizations should be prioritizing the crafting of a robust API security strategy.

Stopping attacks in runtime is the #1 priority for API security

Survey responses show that users expect a lot of functionality out of API security platforms. The ability to stop attacks led the list, with 55% of respondents rating it highly important, and the ability to identify which APIs expose PII or other sensitive data came in a close second, at 52%. This result should come as no surprise as organizations increasingly worry about data loss and privacy impacts from data exposed via APIs.

Respondents lack confidence that their API inventory is complete

You can’t control what you can’t see, and 85% of respondents lack confidence that their API inventory is complete. 17% have absolutely no confidence in or knowledge about the completeness of their API inventory. One contributing factor is the frequency of API changes – the report shows a third of respondents are updating their APIs weekly or daily. Automation is essential for API discovery – both to keep pace with developer changes and to catch the APIs that developers release outside mediation or gateway platforms.

Zombie APIs lead the list of biggest concerns in API security

40% of respondents cite outdated or “zombie” APIs as their top concern, nearly triple the number of the next biggest area of concern, account takeover. Frequent updates to applications is the biggest culprit in generating these zombie APIs – one consequence of frequent application and API updates is that older APIs persist when they should have been deprecated, which can result in unrealized risk and unknown data exposure.

Download the full report

Get an in-depth analysis on the concerns, risks, and trends around API security

Download Now