Salt Labs has identified a significant rise in attackers targeting our customer base. The end of last year saw a major spike, with 4,845 attackers operating in December alone — a 400% increase from just a few months prior.
Bad actors are tenacious and are continuing to find new and unexpected ways to attack. In the past, organizations believed that proper authentication to interact with an API was enough of a deterrent to send attackers elsewhere. Salt Labs data shows that 78% of attacks come from seemingly legitimate users who have maliciously achieved the proper authentication.
Survey respondents told us that API security concerns have led to this very result far too frequently. An unfortunate 59% have experienced application rollout delays resulting from security issues identified in APIs. With these business delays and so many notable API security breaches making headlines, it’s no surprise that 48% of survey respondents say that API security has become a C-level discussion over the past year.
API security problems are a real concern for survey respondents. 94% had some security issue with their production APIs over the past year, with vulnerabilities topping the list at 41%, followed closely by authentication problems at 40%. Of more concern, 31% had experienced a sensitive data exposure or privacy incident and 17% had experienced a security breach; such events have significant costs and reputational damage associated with them.
The OWASP API Security Top 10 list is an industry standard in the API space, but it’s a focus area for security programs at only 54% of respondents’ organizations. This low percentage is disheartening, since Salt customer data shows that 66% of all attack attempts leverage at least one of these 10 security vulnerabilities. Typically, bad actors use combinations of these 10 attacks to propagate more sophisticated attacks.
With significant API security issues happening so frequently, it stands to reason that respondents have real concerns about their API security programs. Outdated/zombie APIs top their concerns, with 54% indicating that it is of high concern. Given that respondents also identified significant documentation challenges in their organizations, it’s highly likely most environments are running APIs that are not documented. So, even though the lowest percentage (20%) cited shadow APIs as a top concern, the risk in this area is likely higher than many respondents realize.
With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy. Unfortunately, only 12% of respondents’ organizations have what they consider to be advanced API security strategies that include dedicated API testing and runtime protection. On the opposite side of the spectrum, 30% of respondents — all of whom have APIs running in production — admit they have no current API strategy.
Survey respondents indicated that they primarily leverage traditional tools and processes to secure their APIs. They are primarily relying on API gateways (52%), log file analysis (51%), and WAF alerts (44%). However, they don’t believe these methods are particularly effective, with 77% of respondents saying their existing tools aren’t very effective in preventing API attacks.
API security is taking center stage for many organizations, but what exactly are they looking for? The capabilities that respondents identified as most valuable were the ability to identify which APIs expose PII or sensitive data (44%), stop attacks (44%), and meet compliance or regulatory requirements (38%). Respondents considered the ability to implement shift left API security practices as their lowest valued attribute, with only 22% citing it as highly important.
Having a comprehensive view of your API attack surface is widely agreed to be the first step to protecting APIs. Unfortunately, respondents tell us that their confidence in a complete and accurate API inventory is low, with only 19% saying they feel very confident. Why? APIs are constantly changing, making them nearly impossible to document well. In fact, 37% of organizations update their APIs at least weekly.
Respondents are less than confident in their ability to recognize what sensitive or personal identifiable information (PII) is exposed within their APIs. Only 18% say they are very confident that their API inventories provide enough detail about their APIs and the sensitive data within. On the other hand, 30% admit that they lack confidence in this area.