Salt Security today released the latest findings of its bi-annual report on API security trends. Over the past 12 months, attack traffic grew at nearly twice the rate of non-malicious traffic. Empirical data from the Salt Security SaaS cloud platform shows a 681% increase in attack traffic compared to a 321% increase in overall API call volume. At the same time, 95% of companies surveyed in the latest “State of API Security” report suffered an API security incident last year.
Organizations have clearly internalized the risk they face as a result of their insecure APIs. Nearly two-thirds of survey respondents (62%) acknowledge they have slowed the release of new applications as a result of API security concerns. Disappointingly, more than a third of survey respondents (34%), all of whom are running production APIs, lack any kind of API security strategy.
Consider the string of high-profile API security incidents in 2021 – Experian, Peloton, Parler, LinkedIn, and John Deere all made headlines with hacktivists, whitehat hackers, and bad actors all discovering significant API vulnerabilities or successfully scraping millions of data records or an entire online community's digital records. Just last month, a security researcher detailed a Coinbase API vulnerability that could have bankrupted the crypto exchange platform.
This edition of the Salt Security “State of API Security” report, our third in 13 months, highlights that the number of API security incidents continues to rise. It shows that companies recognize the growing API security risk, and yet few companies are prepared to address this risk.
Among the most sobering findings:
Why are companies struggling to combat this risk? Nearly a quarter – 22% of respondents – say a lack of expertise is their biggest inhibitor to implementing an optimal API security strategy. Another 20% say they lack the budget to do so, 15% lack the right tools, 13% say they don’t have the time, and another 13% say they don’t have the resources or people to build a strategy.
Clearly the status quo is leaving companies at significant risk. In the face of this staggering increase in API attacks, how can companies craft an effective approach to API security? Key steps include:
As the industry takes another giant leap forward in this critical API security journey, one thing is certain – APIs have emerged as the broadest and most risky attack surface in the enterprise. Perhaps the biggest lesson we can take from our latest research is that 2022 must be the year that organizations get serious about securing APIs.
The time is now.
We invite you to start getting serious with your API security plan by requesting your 3-Day API Security Assessment. You’ll get a full report of shadow APIs, exposed data, and business logic gaps that are putting your organization at risk. What do you have to lose?
The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.