Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

Salt Labs
Jun 18, 2024

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents. As we have done in previous years, the State of API Security Report is assembled from survey responses and empirical data from Salt customers. This report includes the special addition of the “in the wild” API vulnerability research, much like last year’s report did, to give deeper insight into API concerns in real-world situations. Here is a brief preview of the discoveries in the wild: Salt Labs uncovers API security vulnerabilities and an increase in APIs:

  • The count of APIs is increasing, having gone up by 167% in the past year
  • APIs are now five times larger compared to the beginning of 2023 (the number of endpoints in an API can represent its size)
  • Web vulnerabilities such as SQL Injection and XSS are on an alarming upward trajectory, with SQL Injection CVEs witnessing a staggering 363.30% increase from 2020 to 2023

In our technologically advancing world, the number of APIs continues to skyrocket, as do the security breaches that come with that influx. With APIs being updated frequently and the rise of AI-generated APIs, maintaining security and visibility is becoming increasingly challenging. Traditional documentation methods are outdated, leaving organizations vulnerable to security risks and in desperate need of proactive defenses. Investment in dedicated API security solutions is essential for comprehensive threat visibility. These solutions empower organizations to identify and mitigate API vulnerabilities before they can be exploited.

This comprehensive report shares deep insights into the API Security landscape of diverse organizations, illustrating ongoing challenges within the industry and highlighting the evolving tactics and techniques of attackers.

Here are some of the key findings that were uncovered in this year’s State of API report:

1. Increase in API traffic and security breaches

The exponential growth in API traffic continues to broaden organizations’ attack surfaces. 37% of respondents say they’ve experienced an API security incident in the past 12 months, compared to 17% in 2023. This comes as no surprise given the proliferation of API traffic with 66% of respondents managing more than 100 APIs, up from 59% in 2023. Further to this, 67% of respondents have over 10 million requests sent to applications’ APIs each month. Despite growing API traffic, only 7.5% of organizations have implemented dedicated API testing and threat modeling programs, an alarmingly low amount! Budget constraints and limited resources remain a significant challenge for many organizations.

2. Incomplete API inventories and immature development programs

Many organizations are also still struggling to maintain up-to-date, accurate API inventories given the rapid pace of innovation. Only 58% of organizations have an established API discovery process in place, leading to significant security blind spots. 31% of organizations remain in the planning stage, while 55% are in the basic (risk assessment, network scanning, manual reviews) or intermediate (app sec testing, gateways) stages. Notably, the number of respondents with advanced programs went down this year to 7.5%, compared to 12% in 2023.

3. More interesting findings

  • API posture governance remains a new phenomenon yet to be adopted by many. Only 10% currently have a strategy in place, while 47% plan to implement such a strategy within the next 12 months.
  • Outdated or “Zombie” APIs were the most critical concern for survey respondents (69.9%), following the same trend of last year’s report. Account takeover or misuse ranked high as well, with 46% of respondents claiming it to be a main concern.
  • Similar to 2023, API authentication issues continue to cause issues in production APIs. In the past 12 months, 38% have encountered an authentication issue in production APIs.
  • 38% have also had a sensitive data exposure/privacy incident and 37% found a vulnerability within production APIs.

API best practices for secure APIs

The findings from the 2024 State of API Security survey are clear: reliance on APIs is growing, making them increasingly vital to organizational success. However, it is becoming more blatantly evident that traditional tools and processes are not sufficient for protecting API ecosystems, and there is an ongoing need for purpose-built solutions to address threats and risks within them. Organizations must adopt a modern security strategy that addresses security at every stage of the API lifecycle for all APIs.

APIs are integral to modern business operations, driving innovation and customer interactions. Yet, without proper security measures, they can expose sensitive data, disrupt operations, and damage customer trust. By prioritizing API security and implementing comprehensive strategies, organizations can safeguard their assets and maintain a competitive edge in today's digital landscape.

Don’t Wait. Get Your Copy of the Full Report!

Download the full report to better understand how your organization’s API practices, strategies, and priorities compare against the industry. For personalized remediation insights, consider requesting an API Security Gap Assessment and learn how Salt Security can help defend your organization from API risks. Connect with a rep or schedule a demo to take the next step in securing your APIs.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

October 30, 2024

Eric Schwake
Head of Product Marketing

Customer

Salt Security and Dazz: A Powerful Partnership for API Security

Integrating Salt Security and Dazz provides a robust solution for organizations aiming to enhance their API and application security.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back