Salt Security today released the latest findings of its bi-annual report on API security trends. Over the past 12 months, attack traffic grew at nearly twice the rate of non-malicious traffic. Empirical data from the Salt Security SaaS cloud platform shows a 681% increase in attack traffic compared to a 321% increase in overall API call volume. At the same time, 95% of companies surveyed in the latest “State of API Security” report suffered an API security incident last year.
Organizations have clearly internalized the risk they face as a result of their insecure APIs. Nearly two-thirds of survey respondents (62%) acknowledge they have slowed the release of new applications as a result of API security concerns. Disappointingly, more than a third of survey respondents (34%), all of whom are running production APIs, lack any kind of API security strategy.
Consider the string of high-profile API security incidents in 2021 – Experian, Peloton, Parler, LinkedIn, and John Deere all made headlines with hacktivists, whitehat hackers, and bad actors all discovering significant API vulnerabilities or successfully scraping millions of data records or an entire online community's digital records. Just last month, a security researcher detailed a Coinbase API vulnerability that could have bankrupted the crypto exchange platform.
This edition of the Salt Security “State of API Security” report, our third in 13 months, highlights that the number of API security incidents continues to rise. It shows that companies recognize the growing API security risk, and yet few companies are prepared to address this risk.
Among the most sobering findings:
Why are companies struggling to combat this risk? Nearly a quarter – 22% of respondents – say a lack of expertise is their biggest inhibitor to implementing an optimal API security strategy. Another 20% say they lack the budget to do so, 15% lack the right tools, 13% say they don’t have the time, and another 13% say they don’t have the resources or people to build a strategy.
Clearly the status quo is leaving companies at significant risk. In the face of this staggering increase in API attacks, how can companies craft an effective approach to API security? Key steps include:
As the industry takes another giant leap forward in this critical API security journey, one thing is certain – APIs have emerged as the broadest and most risky attack surface in the enterprise. Perhaps the biggest lesson we can take from our latest research is that 2022 must be the year that organizations get serious about securing APIs.
The time is now.
We invite you to start getting serious with your API security plan by requesting your 3-Day API Security Assessment. You’ll get a full report of shadow APIs, exposed data, and business logic gaps that are putting your organization at risk. What do you have to lose?
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.