Salt Security today released the latest findings of its bi-annual report on API security trends. Over the past 12 months, attack traffic grew at nearly twice the rate of non-malicious traffic. Empirical data from the Salt Security SaaS cloud platform shows a 681% increase in attack traffic compared to a 321% increase in overall API call volume. At the same time, 95% of companies surveyed in the latest “State of API Security” report suffered an API security incident last year.
Organizations have clearly internalized the risk they face as a result of their insecure APIs. Nearly two-thirds of survey respondents (62%) acknowledge they have slowed the release of new applications as a result of API security concerns. Disappointingly, more than a third of survey respondents (34%), all of whom are running production APIs, lack any kind of API security strategy.
Consider the string of high-profile API security incidents in 2021 – Experian, Peloton, Parler, LinkedIn, and John Deere all made headlines with hacktivists, whitehat hackers, and bad actors all discovering significant API vulnerabilities or successfully scraping millions of data records or an entire online community's digital records. Just last month, a security researcher detailed a Coinbase API vulnerability that could have bankrupted the crypto exchange platform.
This edition of the Salt Security “State of API Security” report, our third in 13 months, highlights that the number of API security incidents continues to rise. It shows that companies recognize the growing API security risk, and yet few companies are prepared to address this risk.
Among the most sobering findings:
- 95% of the more than 250 survey respondents said they’ve experienced an API security incident in the past 12 months
- only 11% of respondents have an API security strategy that includes dedicated API testing and protection – 34% lack any security strategy at all for APIs
- shift-left tactics are falling short, with more than 50% of respondents saying developers, DevOps, or DevSecOps teams are responsible for API security while 85% acknowledge their existing tools are not very effective in stopping API attacks
- when asked their biggest concern about their company’s API program, 40% of respondents highlighted gaps in security as their top worry
- 94% of API exploits are happening against authenticated APIs, according to Salt customer data
- stopping attacks tops the list of most valuable attributes of an API security platform
- 40% of respondents are grappling with APIs that change at least every week, with 9% saying their APIs change daily
Building an effective game plan to move forward
Why are companies struggling to combat this risk? Nearly a quarter – 22% of respondents – say a lack of expertise is their biggest inhibitor to implementing an optimal API security strategy. Another 20% say they lack the budget to do so, 15% lack the right tools, 13% say they don’t have the time, and another 13% say they don’t have the resources or people to build a strategy.
Clearly the status quo is leaving companies at significant risk. In the face of this staggering increase in API attacks, how can companies craft an effective approach to API security? Key steps include:
- Assess your current level of risk – APIs have emerged as the number one threat vector for applications, but companies’ action plans do not match the level of risk. You need to apply a combination of API design analysis, testing, and attack simulation to understand your current level of risk. Capturing and sharing the results of such an assessment will be crucial to getting the budget needed and resources prioritized to mitigate the risk of insecure APIs.
- Protect all your application environments, without getting in the way – as you build a plan for runtime protection, to make sure you adopt an approach that will address the breadth of cloud-native and legacy application environments, wherever they happen to be running, in the cloud or on prem. You’ll need to deploy frictionless security, since your API security tooling cannot slow down your vital applications or services.
- Tap the power of cloud-scale big data, AI, and ML – your APIs are unique, so attacks have to be unique as well. To find your APIs’ security gaps, bad actors have to perform extensive reconnaissance, using lots of trial and error to experiment with different means of attack. To fully protect yourself, you’ll need cloud-scale big data to identify this reconnaissance behavior. Any solution that can run entirely in your own environment will not have sufficient data collection and correlation capabilities to stitch together the actions of a bad actor over the days, weeks, and months spent learning how best to compromise your APIs.
- Don’t over-rotate on shift-left tactics – applying shift-left and secure build pipeline mechanisms has value, but you face two crucial limitations in relying too heavily on this aspect of API security. First is time to protection – if you have to wait for developers to fix code to be safe, you are sacrificing your company’s ability to be protected now. API security is too vital to leave to developers working through their backlog of 100s of vulnerabilities to get to your list of requested API fixes. Second is overall value – runtime protection provides the assurance that your data and services will be fully protected. You simply cannot find all API security gaps in pre-prod testing and analysis. APIs have to be exercised for many of their vulnerabilities to be exposed, so relying on only shift-left approaches will leave you vulnerable.
As the industry takes another giant leap forward in this critical API security journey, one thing is certain – APIs have emerged as the broadest and most risky attack surface in the enterprise. Perhaps the biggest lesson we can take from our latest research is that 2022 must be the year that organizations get serious about securing APIs.
The time is now.
We invite you to start getting serious with your API security plan by requesting your 3-Day API Security Assessment. You’ll get a full report of shadow APIs, exposed data, and business logic gaps that are putting your organization at risk. What do you have to lose?