State of API Security Report Q3 2022

Learn more

API Security Trends

Our industry-leading research examines how companies are securing APIs, the challenges they face, and how their API security strategies are evolving.

Download the Report
API security incidents chart

Malicious traffic accounts for 2.1% of overall API traffic

Salt customer data shows the average number of APIs per customer grew 82% over last year, up from 89 in July 2021 to more than 162 in July 2022. During the same period, overall API traffic per customer grew 168%, indicating that API usage is also exploding.

Attack activity continues to keep pace with this dramatic API usage growth and now accounts for 2.1% of overall API traffic for Salt customers. Malicious API attack traffic surged 117% over the past year, from an average of 12.22M malicious calls per month to an average of 26.46M calls.

API attackers are ruthless and relentless

Not surprisingly, increased API usage and traffic have resulted in more attacks. Salt customer data reveals that 34% of customer accounts have experienced more than 100 attempted attacks per month. And 15% have experienced 500 or more attempted attacks per month, up from 11% a year ago.

API security incidents chart
API security incidents chart

API attacks are causing significant security concerns

A resounding 94% of survey respondents reported they have experienced API security problems in production APIs. Nearly half (47%) indicate that they have identified vulnerabilities in production APIs, 38% have experienced authentication problems, and 31% have seen sensitive data exposure and privacy incidents. Vulnerabilities in production have markedly increased by 8% over the past six months. And most frightening, nearly 20% of respondents say their organizations have experienced a breach resulting from insecure APIs.

More than half of respondents have delayed rolling out a new application due to API security concerns

Companies rely on their APIs to build the applications that drive innovation and produce revenue, so there is no room for deployment delays. Unfortunately, 54% of respondents indicate that they have had to slow the rollout of a new application because of an API security concern.

API security incidents chart

Stopping attacks is the most highly valued API security attribute; shift left is lowest

The ability to stop attacks was rated the most critical attribute by the most respondents (41%), compared to only 22% who rated shift-left capabilities a top need. The ability to identify which APIs are exposing PII or sensitive data was second highest, with 40% of respondents ranking that capability as “highly important.” These two areas – runtime protection and exposed sensitive data – represent the greatest sources of immediate risk for organizations.

See why 73% lack confidence in ability to respond to API attacks

Download Report

The stakes are high, with sensitive data at risk

Nearly a third of respondents admit they have experienced sensitive data exposure or a privacy incident within their production APIs over the past year, a sharp increase over last year’s 19%. 91% of Salt customers’ APIs expose some PII or sensitive data, so it’s imperative to know where and how that sensitive data is transmitted and to protect those APIs with extra diligence.

API security incidents chart
API security incidents chart

Security-related concerns top the list of API challenges

As organizations continue to mature their API programs, it’s no surprise that security-related considerations top their list of concerns. Not investing enough in pre-production security (20%) and not adequately addressing runtime security (18%) were the top API concerns noted by respondents. Also high on the list is a lack of focus on requirements and documentation (19%), which is paramount for those tasked with maintaining secure APIs.

Out-of-date or "zombie" APIs create the greatest worries

When asked about the most concerning API security risks, 42% of respondents said that their biggest worry is outdated or “zombie” APIs, nearly triple the rate of any other concern. Zombie APIs have been consistently rated the #1 concern for the past four surveys, likely a direct result of the increasingly fast pace of development as companies seek to maximize the business value associated with APIs. As organizations build new APIs, they often fail to deprecate previous versions, leaving them vulnerable since nobody is patching or documenting these out-of-date APIs.

42% of respondents are changing APIs daily or weekly

Beyond just a growing quantity, securing and maintaining APIs is further complicated by the fast pace of updates. One year ago, only 6% of survey respondents indicated that they update their APIs daily. Today, that number has increased to 11%. An additional 31% update their APIs weekly, while only 10% update them less frequently than every few months.

API security incidents chart
API security incidents chart

Most respondents admit they lack any or have only a basic API security strategy

With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy. Unfortunately, only 9% of respondents can confidently state that they have an advanced API security strategy that includes dedicated API testing and protection. 61% admit that they lack any API security strategy or have only basic protections (risk assessment, network scanning, manual reviews).

Download the full report

Get an in-depth analysis on the concerns, risks, and trends around API security

Download Now
Before you go...

Get the latest API Security Trends in 2022

Download the Report
Close