A full 66% of respondents have delayed the deployment of a new application because of API security concerns. When businesses cannot meet the demands of continuous application delivery, they hamper their digital transformation and DevOps initiatives and they cede ground to their competition.
Asked about security incidents, 91% of respondents shared they had suffered a security incident in their production APIs last year. Vulnerabilities (54%) and authentication issues (46%) topped the list, followed by bot/scraping (20%) and denial of service attacks (19%). These vulnerabilities remain until an attacker discovers and exploits them, which can result in data exfiltration, account misuse, or service downtime. Nearly half experienced authentication problems as well.
100% of Salt Security customers have WAFs and API gateways, and 100% of Salt Security customers have API attacks that get past those tools. Given that 96% of API exploits happen against authenticated APIs, clearly security techniques common in WAFs and API gateways (access control, TLS, rate limiting, and IP allow/block lists for example) are insufficient. The challenge is that the dominant approaches of WAFs and API gateways miss 90% of the threats highlighted in the OWASP API Security Top 10 list of threats.
Salt customers’ average monthly call volume increased over the past 12 months, from 272 million calls per month at the start of 2020 to 410 million at the end of the year, an increase of 51%. In the same time period, malicious traffic grew 211%. Note that our customers all have WAFs and API gateways deployed, so this malicious traffic got past those traditional security controls. Such findings are consistent with broader industry research showing APIs as the dominant application attack vector.
Gartner predicts, “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” Yet more than a quarter of organizations running production APIs – 27% – having no API security strategy at all.
Nearly a quarter of organizations admit they have no way to know which APIs expose PII and other sensitive data – a direct result of an incomplete API inventory and inaccurate documentation. Almost half are only “somewhat confident” they know about these data exposures. Since the majority of organizations depend on developer-created documentation and/or API gateways to understand PII exposure, and confidence is this low, these approaches are incomplete and lack the details needed to keep sensitive data safe.
“Shift left” is a major and worthwhile goal for application security and DevSecOps initiatives. Improving secure development practices, scanning, and thorough testing can help improve the security of APIs. With only 46% of respondents applying runtime protection and 90% of respondents experiencing a security incident in production APIs, this overreliance on pre-production security tactics is leaving organizations vulnerable.