The data makes it clear: more companies are suffering more API attacks than ever, and companies remain as ill-prepared as ever.
The Salt Labs team today released the latest edition of the pioneering “State of API Security” report. The data, drawn from a combination of survey responses and empirical data from Salt Security customers, paints a picture of increased attacks, application rollout delays, worries over pre-prod and runtime API protection, and near-universal experiences of API security incidents.
Salt Security initiated this industry-first research six months ago, with the inaugural report. This time, the Salt Labs team spearheaded the effort. The findings show that despite increased awareness about the risk of APIs, the vast majority of companies are suffering attacks, don't have an API security strategy in place, and haven't determined who "owns" API security.
Here’s what we learned in this second edition of the report:
This kind of data is most useful when you use it to build a game plan for response. The survey results and Salt customer data contain a lot of sobering findings, but they also highlight a path forward. What are the implications for us as an industry?
With every Salt customer having a WAF and most also having API gateways, and all of them enduring multiple attacks per week, we can see the ineffectiveness of these tools in handling API attacks. Organizations hoping they’ve "got it covered" with these older technologies are keeping their companies exposed to unnecessary risk.
API security is often seen as a developer’s problem, but API attacks target vulnerabilities in business logic, which don’t show up in code testing. Companies must both “shift left” and “shield right” – that is, apply remediation insights to make their code more secure but also deploy runtime protection to fully protect their vital data and services.
Organizations need a mix of tactics to protect APIs. They must vet APIs as they're developed, automate runtime protection to block attackers, and provide developers with closed-loop feedback that distills learnings from runtime to help developers harden APIs.
Attackers need to poke and prod on APIs to learn the business logic they’re exercising and look for flaws. Organizations need to leverage big data and automation to identify this reconnaissance activity and stop attackers before they reach their objective.
Humans simply can’t keep up in the battle to protect APIs. The algorithms at the heart of API security platforms rely on time in market – seeing hundreds of customer environments over time – to learn and improve. Organizations must evaluate how long a system has been in market to understand how robust and refined its capabilities can be.
Download the full report so you can evaluate your organization’s progress on this critical journey. Insights from the report can help you chart a path to better protecting your own APIs.
You can also request an API Security Gap Assessment to better understand your API landscape and gain personalized remediation insights.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.