Industry’s first State of API security report finds two thirds of organizations have delayed application rollouts over API security concerns and more than a quarter have no API strategy
Palo Alto, CA – February 3, 2021 – Salt Security, the leading API security company, today released the results of the industry’s first API security report titled, “The State of API Security – Q1 2021.” Among its findings, the report revealed that 66% of organizations admit to having slowed the rollout of a new application into production because of API security concerns. In addition, 54% of organizations running production APIs have at best only a basic strategy for API security, with 27% having no strategy at all. The report combines survey results with customer data from Salt’s API security SaaS service, and the findings make clear that, despite the critical role APIs have in enabling revenue and innovation, companies of all sizes lack sufficient API security.
“In today’s digital economy, APIs are the direct gateway to organizations’ most critical data and assets. Built to enable customers and partners, these APIs create risk by also providing a path for attackers to follow. As APIs have grown in volume and functionality, they’ve made ever more attractive targets for hackers, driving up the number and sophistication of API attacks,” said Roey Eliyahu, CEO and co-founder of Salt Security. “We compiled the industry’s first State of API Security Report to better understand the enterprise experience of APIs today. The study makes clear that companies’ current approaches for securing APIs have gaps that leave them at risk. It also highlights how organizations need new approaches to API security if they are to continue innovating safely and remain competitive.”
Nearly all respondents (91%) experienced an API security incident last year
Respondents identified API security problems found in their organization’s production APIs, and 91% had suffered a problem last year. Vulnerabilities (54%) and authentication issues (46%) topped the list, followed by bot/scraping (20%) and denial of service attacks (19%). Finding a vulnerability in a production API means that pre-production vetting, while crucial, cannot prevent vulnerabilities from making their way into production rollouts. What’s even more alarming is the Salt customer data showed the number of API attacks per month per customer increased from 50 last June to nearly 80 by December. Given the rate of incidents, it’s not surprising to see 66% of companies have delayed rollouts.
WAFs and API Gateways cannot stop API attacks
Every Salt customer has WAFs and API gateways, and every Salt customer has also experienced multiple attacks per month. So, API attacks are routinely getting past those tools. This finding is less surprising given that WAFs and API gateways miss 90% of the OWASP API Security Top 10 threats. More shocking, however, is that 9% of respondents admitted they cannot identify API attacks.
More than a quarter of organizations running production APIs have no API security strategy
As DevOps has emerged, security teams are frequently required to play catch-up, with more than a quarter of organizations running critical API-based applications with no security strategy and another 27% of organizations having only a basic strategy for API security. In addition, while more than two thirds of respondents note that security teams have been highlighting the OWASP API Security Top 10 threats, teams still do not have a plan in place for securing APIs.
83% of organizations lack confidence in their API inventory
Organizations are using a broad array of API documentation techniques, and yet only 16% of respondents are very confident that their API inventory is complete. Most of today’s common approaches depend on humans to provide a complete view of APIs, leaving API documentation incomplete as a result of the speed of new development and API changes.
Other key report findings:
- API traffic is growing, but malicious API traffic is growing faster -- Salt Security customers’ monthly volume of API calls grew 51%, while the percentage of malicious traffic grew 211%
- 80% of organizations do not believe their security tools can prevent API attacks effectively
- 82% of organizations lack confidence in knowing API details such as exposed PII, which might include CPNI, PHI, cardholder data, and other sensitive information -- 22% of organizations admit they have no way to know which APIs expose PII
- Outdated and zombie APIs present the greatest perceived risk -- zombie APIs, older APIs or those expected to be short-lived, present a special risk because organizations assume they’ve been decommissioned
- Current API security approaches heavily rely on pre-production lifecycle phases -- more than half of organizations apply no runtime API security protection
About the Salt Security State of API Security Report
Salt Security compiled anonymized customer data and survey responses from nearly 200 security, application, and DevOps professionals to create this industry-first report. Survey respondents came from companies of all sizes—ranging from fewer than 100 employees to more than 10,000—and represented the following industries: Education, Energy/Utilities, Entertainment, Federal Government, Financial Services, Healthcare, Manufacturing, Media and Technology. Respondent functional roles included Application Security, Security Architect, DevOps, API Platform, Product, CIO/C-Level, CISOs, and others.