Salt Security released the Salt Labs
State
of API Security Report, Q3 2021. The latest edition, compiled six
months after the company's inaugural report, reveals significant challenges in
addressing API security, with all Salt customers experiencing API attacks,
security topping the list of API program concerns, and very few respondents
feeling confident they can identify and stop API attacks. In the past six
months, Salt customer data shows overall API traffic has increased 141% - in
the same time period, API attack traffic grew a staggering 348%. The sobering
report findings illustrate the security consequences of the rapid growth in API
use driven by digital transformation and IT modernization projects.
"APIs and the valuable data they access are linchpins of
today's data- and application-centric economy. Yet APIs remain one of the most
vulnerable elements of any organization's application or software stack," said
Roey Eliyahu, co-founder and CEO, Salt Security. "Anecdotally, we know we find
critical security vulnerabilities in the APIs of 90% of the prospects we
support. This report quantifies those anecdotal findings, highlighting the API
security risks companies are living with everyday. As API adoption and traffic
has accelerated, so have the security risks. APIs are meant to enable
innovation, not stifle it, as we're seeing in this report."
Organizations rely on APIs for a broad range of
business-critical initiatives. This latest edition of the State of API Security
Report found that 61% of survey respondents use APIs for platform or system
integrations, 52% use them to drive digital transformation, and 47% use them to
standardize or improve the efficiency of application and software development.
These critical initiatives are suffering set-backs, however, with 64% of
respondents delaying application rollouts as a result of API security concerns.
"APIs can be the weakest link in an organization's
application security chain, especially since traditional tooling such as WAFs
and API gateways can't protect against the API attacks frequently carried out
today," said Michael Isbitski, Technical Evangelist, Salt Security. "Several
factors - including growing API usage, faster application and software
development cycles, and increased hacker targeting - contribute to increasing
risk for API-first organizations."
Security remains the leading concern in API programs
Among the potential concerns respondents might have about
their API programs - from impact on application delivery to documentation to
pre-production security to testing - security topped the list. Worries over a
lack of pre-production security was the leading response (26%), followed
closely by concerns about the program not adequately addressing runtime
security (20%). The next closest area of concern hit considerably lower on the
list - not driving enough observability and control (14%).
Viewing API security as a "shift left" problem is failing
"Developers write APIs, so they should be responsible for
securing APIs." This perspective actually increases organizational risk. More
than half of survey respondents put responsibility for API security on the API
team, developers, and DevOps teams - at the same time, 94% of respondents have
experienced an API security incident in the past 12 months. No one writes
perfect code, and most need to see APIs in action in runtime to see business
logic flaws. Remediation insights that help developers improve APIs are crucial
but they're not the full answer.
WAFs and API Gateways continue to miss API attackers
Nearly half of respondents are trying to identify API
attackers via their WAF or API gateway, and 12% admit they have no way to
identify an API attacker. Every Salt customer has a WAF, and every Salt
customer suffers multiple API attacks every month. API attacks are different
from application attacks, following no preset pattern and not triggering alerts
from any traditional tooling because any single API transaction in an attack
typically looks legitimate. IT teams need context that WAFs and API gateways
lack to identify and stop API attackers.
62% of organizations have no or just a basic strategy in
place for API security
Every organization in this latest survey has dozens of APIs
in production, but only 38% have more than a basic security strategy for their
API program. More than a quarter have no strategy at all. What's keeping these
organizations from crafting a robust plan? A lack of resources/people (30%) and
budget constraints (24%) are the top limiting factors.
Additional findings from the State of API Security Report:
- 40% of respondents cite
the risk of "Zombie APIs" as their top concern, nearly triple the number
who cite account takeover as the top concern.
- 85% of respondents have
some doubt about the completeness of their API inventory.
- 55% percent of
respondents cite runtime protection as the top priority for API security
and the most highly valued attribute of an API security platform.
- 85% of respondents lack
confidence that they know which APIs expose sensitive data.
API Security Practices Are Evolving - For the Better
Findings from the report also highlight that approaches to
API security are changing as collaboration between security and DevOps teams
increases. One-third of respondents cited security as a primary reason for
partnering with their peers, and only 9% saw no change in how security teams
are conducting their work around API security requirements.
When survey respondents were asked about how API security is
creating changes in how security professionals do their job, the majority was
split with 34% agreeing that security must collaborate more with DevOps teams
and 34% noting security engineers are getting embedded within DevOps teams.