Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Blog Post

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

Salt Labs
Jun 18, 2024

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents. As we have done in previous years, the State of API Security Report is assembled from survey responses and empirical data from Salt customers. This report includes the special addition of the “in the wild” API vulnerability research, much like last year’s report did, to give deeper insight into API concerns in real-world situations. Here is a brief preview of the discoveries in the wild: Salt Labs uncovers API security vulnerabilities and an increase in APIs:

  • The count of APIs is increasing, having gone up by 167% in the past year
  • APIs are now five times larger compared to the beginning of 2023 (the number of endpoints in an API can represent its size)
  • Web vulnerabilities such as SQL Injection and XSS are on an alarming upward trajectory, with SQL Injection CVEs witnessing a staggering 363.30% increase from 2020 to 2023

In our technologically advancing world, the number of APIs continues to skyrocket, as do the security breaches that come with that influx. With APIs being updated frequently and the rise of AI-generated APIs, maintaining security and visibility is becoming increasingly challenging. Traditional documentation methods are outdated, leaving organizations vulnerable to security risks and in desperate need of proactive defenses. Investment in dedicated API security solutions is essential for comprehensive threat visibility. These solutions empower organizations to identify and mitigate API vulnerabilities before they can be exploited.

This comprehensive report shares deep insights into the API Security landscape of diverse organizations, illustrating ongoing challenges within the industry and highlighting the evolving tactics and techniques of attackers.

Here are some of the key findings that were uncovered in this year’s State of API report:

1. Increase in API traffic and security breaches

The exponential growth in API traffic continues to broaden organizations’ attack surfaces. 37% of respondents say they’ve experienced an API security incident in the past 12 months, compared to 17% in 2023. This comes as no surprise given the proliferation of API traffic with 66% of respondents managing more than 100 APIs, up from 59% in 2023. Further to this, 67% of respondents have over 10 million requests sent to applications’ APIs each month. Despite growing API traffic, only 7.5% of organizations have implemented dedicated API testing and threat modeling programs, an alarmingly low amount! Budget constraints and limited resources remain a significant challenge for many organizations.

2. Incomplete API inventories and immature development programs

Many organizations are also still struggling to maintain up-to-date, accurate API inventories given the rapid pace of innovation. Only 58% of organizations have an established API discovery process in place, leading to significant security blind spots. 31% of organizations remain in the planning stage, while 55% are in the basic (risk assessment, network scanning, manual reviews) or intermediate (app sec testing, gateways) stages. Notably, the number of respondents with advanced programs went down this year to 7.5%, compared to 12% in 2023.

3. More interesting findings

  • API posture governance remains a new phenomenon yet to be adopted by many. Only 10% currently have a strategy in place, while 47% plan to implement such a strategy within the next 12 months.
  • Outdated or “Zombie” APIs were the most critical concern for survey respondents (69.9%), following the same trend of last year’s report. Account takeover or misuse ranked high as well, with 46% of respondents claiming it to be a main concern.
  • Similar to 2023, API authentication issues continue to cause issues in production APIs. In the past 12 months, 38% have encountered an authentication issue in production APIs.
  • 38% have also had a sensitive data exposure/privacy incident and 37% found a vulnerability within production APIs.

API best practices for secure APIs

The findings from the 2024 State of API Security survey are clear: reliance on APIs is growing, making them increasingly vital to organizational success. However, it is becoming more blatantly evident that traditional tools and processes are not sufficient for protecting API ecosystems, and there is an ongoing need for purpose-built solutions to address threats and risks within them. Organizations must adopt a modern security strategy that addresses security at every stage of the API lifecycle for all APIs.

APIs are integral to modern business operations, driving innovation and customer interactions. Yet, without proper security measures, they can expose sensitive data, disrupt operations, and damage customer trust. By prioritizing API security and implementing comprehensive strategies, organizations can safeguard their assets and maintain a competitive edge in today's digital landscape.

Don’t Wait. Get Your Copy of the Full Report!

Download the full report to better understand how your organization’s API practices, strategies, and priorities compare against the industry. For personalized remediation insights, consider requesting an API Security Gap Assessment and learn how Salt Security can help defend your organization from API risks. Connect with a rep or schedule a demo to take the next step in securing your APIs.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

December 13, 2024

Michael Callahan
Chief Marketing Officer

Industry

API Security is Not a Problem You Can Solve at the Edge

Edge security is a crucial component of an organization’s defense, but it’s just one piece of the puzzle. Learn why API security requires a broader view.

Read more

November 27, 2024

Eric Schwake
Head of Product Marketing

Industry

Beyond Traditional Security: Addressing the API Security Gap

To safeguard your business from API-specific threats, you need a dedicated solution that offers comprehensive visibility, in-depth contextual analysis, automated governance, robust data protection, and AI-driven threat prevention.

Read more

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back