State of API Security Report Q3 2022

Learn more

Context-based security
for all your APIs

Only Salt delivers the context you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage and an ML/AI-driven big data engine to provide that context – to show you all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve your API security posture.

APIs are a top target

APIs are built expressly to share a company's most valuable data and services. That makes them a lucrative target for bad actors. We've already hit the tipping point – APIs are now THE way in.

Then...

...and now

By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.

20 November 2017
“Predicts 2018: Infrastructure Protection”
- Strategic Planning Assumption

As 2022 approaches, this prediction could arguably be counted as “missed” – but only because we underestimated the steep rise in attacks on APIs.

06 December 2021
“Predicts 2022: APIs Demand Improved
Security and Management"

Attacks have changed – and they’re easy to miss

Bad actors now target business logic vulnerabilities in your APIs. But since your APIs are unique, it takes them days, weeks, or even months to probe and learn your APIs. They use “low and slow” techniques that WAFs, gateways, and other traditional tools can't detect, leaving you vulnerable.

Past:
One and done

Single API call – seconds to minutes
Known attacks – SQLi, XSS, etc.

Today:
Low and slow

Sequence of API calls – days to weeks
Business logic attacks – requires context

Everyone says they do API security

Legacy and adjacent tools are trying to pivot
To remain relevant, get into a hot space, or grow their reach, vendors of all stripes are claiming they do API security. You've got the tough job of sorting through all the noise – you need to get clear on what API security really is and the architecture needed to do it right.

Learn why WAFs and gateways fall short

Why WAFs and gateways fall short

Gateways weren’t built for security
IT teams leverage API gateways to publish and update APIs, monitor their usage, facilitate reuse, and enforce schema consistency. But gateways have no ability to monitor API traffic and cannot see the indicators of API manipulation in runtime. That’s why all the gateway vendors partner with Salt for runtime protection.

WAFs can’t see business logic attacks
WAFs, using technology developed 20 years ago, apply rules to protect web apps from yesterday’s attacks, like SQL injections and cross-site scripting. WAFs allow or deny per transaction – they have no ability to stitch together activity over time, so they can’t see today’s API attacks. That’s why, despite the prevalence of WAFs, we see headlines every month of a new company suffering an API breach.

API attacks don’t follow patterns
Every API vulnerability is a zero-day vulnerability, because every company’s APIs are unique and so are their security gaps. Bad actors have to poke and prod to learn your APIs and find mistakes in business logic they can exploit. The only way to catch these attacks is with context – deep behavioral analysis over time. That’s why API security is a whole new category of product needed in your arsenal.

Video: Real-world API Attacks: What your WAF is missing
This comparison shows what API attacks a WAF can spot vs. Salt. We use Postman to launch a combination of more traditional (SQLi, XSS) attacks vs. more sophisticated API attacks. The WAF only has pre-set rules to follow – that’s why it allows the API attack traffic through, whereas Salt spots and blocks the attacks.

Salt Security

Tools like WAFs and API gateways don't have any context for what's happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.

Curtis Simpson, CISO

Many purpose-built API security tools also have gaps

Code Instrumentation

  • Leaves security in developers’ hands
  • Relies on laborious and slow coding, and developers resist “other” code
  • Protects only new APIs or requires retooling of APIs already in production
  • Fails to provide dynamic discovery of APIs or sensitive data

OAS/Swagger Analysis

  • Relies on documentation, which is rarely current or perfect
  • Fails to provide dynamic discovery of APIs or sensitive data
  • Protects only new APIs
  • Limits runtime protection to enforcing on API schema – positive security is notoriously risky

On-prem Architecture

  • Provides behavioral analysis for only hours’ worth of traffic, missing most “in the wild” attacks (a cloud option from this type of provider will have the same deficit – no one builds two architectures)
  • Lacks edge processing, increasing cloud costs significantly as full API traffic is sent to cloud back end
  • Increases false positives and slows incident response, given limited data

Effective API security depends on rich context

What sets Salt apart is the ability to analyze your API traffic over days, weeks, and even months, applying cloud scale and mature algorithms to your API traffic.

We see more than anyone else, so we stop more attacks than anyone else.

You get:
Better discovery – with smart aggregation of APIs vs. a long list of duplicated endpoints

Better runtime protection
– with insights spanning months of API usage patterns to spot and stop more attacks

Better shift left security
– with pre-prod API testing tuned to your APIs and remediation insights learned in runtime

Salt – Securing your innovation

Salt API Protection Platform

The OWASP API Top 10 – a starting point

Understanding that attacks themselves are different when APIs are the target is an important starting point for learning how to defend against them. The game has changed – these attacks are rooted in finding business logic flaws, and most solutions aren't up to the task.

OWAS Report

How the Salt Security platform works

Learn more
Before you go...

Get a comprehensive list of security best practices

Download the Guide
Close