Delaying application rollouts. Suffering dozens to hundreds of API attacks every month. Having no API security strategy despite running APIs in production. Providing no runtime security for APIs. Worries over zombie APIs.
These pain points are just a few we uncovered as we set out to understand the state of API security today – a critical window into broader enterprise security trends given that APIs underlie every revenue-generating application today. To gather data, we surveyed nearly 200 security, application, and DevOps professionals about their API concerns, the related technologies they’re using today, and their experience of API security incidents. We were able to augment the survey results with real-world data culled from our SaaS platform, which holds anonymized data from all Salt customers. Together, the findings paint a picture of an industry struggling to protect these most vital of assets.
Amongst the most sobering of findings:
• 66% of organizations have delayed the rollout of a new application into production because of API security concerns – these delays inevitably translate into lost revenue and slower business innovation
• 91% of organizations experienced an API security incident last year – Salt customers are experiencing dozens to hundreds of incidents every month
• 100% of Salt customers have WAFs and API Gateways, and 100% suffered API attacks – the perception that WAFs or API gateways mean “you’re covered” on API security is contributing to the risk organizations face
• API traffic grew 51%, but malicious API traffic grew 211% last year – customer data on our SaaS platform exposed the growing popularity of attacking APIs
• 27% of organizations running production APIs have no API security strategy in place at all – another 27% have only a basic security strategy, meaning organizations remain vulnerable to this growing threat vector
• More than half of organizations apply no runtime API security protection – given the high rate of API attacks, relying solely on applying security during the API development phase is keeping organizations exposed
• Outdated and zombie APIs present the greatest perceived risk – more than half of respondents cited this risk area as their Number 1 or Number 2 source of concern, and zombie APIs, older APIs or those expected to be short-lived, present a special risk because organizations assume they’ve been decommissioned
• 83% of organizations lack confidence in their API inventory – organizations detailed the various ways they document their APIs, but only 16% of respondents are very confident that their API inventory is complete
• 82% of organizations lack confidence in knowing API details such as exposed PII, which might include CPNI, PHI, cardholder data, and other sensitive information – 22% of organizations admit they have no way to know which APIs expose PII
Both the survey results and the data from the Salt Security API security SaaS platform show that organizations are struggling to keep up with the security risk that APIs present. Organizations must move from traditional security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle, provides a broad range of protections, and fosters collaboration across teams.
1. Augmenting WAFs and API gateways is essential. Longevity can breed complacency, and APIs have been around for decades. Too many organizations think they've "got it covered" with WAFs and API gateways, but successful API attacks continue to increase, proving these older technologies provide insufficient protection.
2. Overreliance on dev teams and pre-prod checks is not working. API attacks are on the rise. While “shift left” efforts to improve API security should continue, organizations must also "shift right" and augment these tactics with runtime protection for APIs.
3. A full lifecycle approach is essential. Organizations should especially ensure protection against vulnerabilities in production. To deliver full efficacy, an API security platform should also include a closed-loop system, with a means of providing developers feedback to quickly remediate vulnerabilities found in production.
4. Automation is critical. Given the speed of agile development methods and DevOps practices, the volume of APIs in use, and the rate of change to internal and external APIs, properly securing APIs requires automation at every phase of the API lifecycle. Techniques that depend on manual efforts will not scale in today’s DevOps and cloud-native world and will hamper application deployments.
5. You can’t prevent attackers from targeting APIs, but you can stop them before they succeed. Unlike other security risks, where a single successful effort unlocks the reward, API attacks are often low and slow as attackers build out their understanding of your environment. This reality means you have time to identify attackers, learn from their behaviors, block them before they ultimately succeed, and keep your most critical services and data safe.
We encourage you to download the complete report and benchmark your organization against the findings from your peers. Use the findings in this report to identify the low-hanging fruit – the handful of steps you can follow today to protect your organization’s vital API pathways.
And if you want to see how Salt can help make it easier for you understand your API landscape, block attackers, and gain remediation insights, request a demo today.
Like many other API breaches, the Optus security incident highlights the importance of dedicated API security.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.