Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report
The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents. As we have done in previous years, the State of API Security Report is assembled from survey responses and empirical data from Salt customers. This report includes the special addition of the “in the wild” API vulnerability research, much like last year’s report did, to give deeper insight into API concerns in real-world situations. Here is a brief preview of the discoveries in the wild: Salt Labs uncovers API security vulnerabilities and an increase in APIs:
- The count of APIs is increasing, having gone up by 167% in the past year
- APIs are now five times larger compared to the beginning of 2023 (the number of endpoints in an API can represent its size)
- Web vulnerabilities such as SQL Injection and XSS are on an alarming upward trajectory, with SQL Injection CVEs witnessing a staggering 363.30% increase from 2020 to 2023
In our technologically advancing world, the number of APIs continues to skyrocket, as do the security breaches that come with that influx. With APIs being updated frequently and the rise of AI-generated APIs, maintaining security and visibility is becoming increasingly challenging. Traditional documentation methods are outdated, leaving organizations vulnerable to security risks and in desperate need of proactive defenses. Investment in dedicated API security solutions is essential for comprehensive threat visibility. These solutions empower organizations to identify and mitigate API vulnerabilities before they can be exploited.
This comprehensive report shares deep insights into the API Security landscape of diverse organizations, illustrating ongoing challenges within the industry and highlighting the evolving tactics and techniques of attackers.
Here are some of the key findings that were uncovered in this year’s State of API report:
1. Increase in API traffic and security breaches
The exponential growth in API traffic continues to broaden organizations’ attack surfaces. 37% of respondents say they’ve experienced an API security incident in the past 12 months, compared to 17% in 2023. This comes as no surprise given the proliferation of API traffic with 66% of respondents managing more than 100 APIs, up from 59% in 2023. Further to this, 67% of respondents have over 10 million requests sent to applications’ APIs each month. Despite growing API traffic, only 7.5% of organizations have implemented dedicated API testing and threat modeling programs, an alarmingly low amount! Budget constraints and limited resources remain a significant challenge for many organizations.
2. Incomplete API inventories and immature development programs
Many organizations are also still struggling to maintain up-to-date, accurate API inventories given the rapid pace of innovation. Only 58% of organizations have an established API discovery process in place, leading to significant security blind spots. 31% of organizations remain in the planning stage, while 55% are in the basic (risk assessment, network scanning, manual reviews) or intermediate (app sec testing, gateways) stages. Notably, the number of respondents with advanced programs went down this year to 7.5%, compared to 12% in 2023.
3. More interesting findings
- API posture governance remains a new phenomenon yet to be adopted by many. Only 10% currently have a strategy in place, while 47% plan to implement such a strategy within the next 12 months.
- Outdated or “Zombie” APIs were the most critical concern for survey respondents (69.9%), following the same trend of last year’s report. Account takeover or misuse ranked high as well, with 46% of respondents claiming it to be a main concern.
- Similar to 2023, API authentication issues continue to cause issues in production APIs. In the past 12 months, 38% have encountered an authentication issue in production APIs.
- 38% have also had a sensitive data exposure/privacy incident and 37% found a vulnerability within production APIs.
API best practices for secure APIs
The findings from the 2024 State of API Security survey are clear: reliance on APIs is growing, making them increasingly vital to organizational success. However, it is becoming more blatantly evident that traditional tools and processes are not sufficient for protecting API ecosystems, and there is an ongoing need for purpose-built solutions to address threats and risks within them. Organizations must adopt a modern security strategy that addresses security at every stage of the API lifecycle for all APIs.
APIs are integral to modern business operations, driving innovation and customer interactions. Yet, without proper security measures, they can expose sensitive data, disrupt operations, and damage customer trust. By prioritizing API security and implementing comprehensive strategies, organizations can safeguard their assets and maintain a competitive edge in today's digital landscape.
Don’t Wait. Get Your Copy of the Full Report!
Download the full report to better understand how your organization’s API practices, strategies, and priorities compare against the industry. For personalized remediation insights, consider requesting an API Security Gap Assessment and learn how Salt Security can help defend your organization from API risks. Connect with a rep or schedule a demo to take the next step in securing your APIs.