Salt Security unveiled the findings from the Salt Labs State of API
Security Report, 2024. The research, which analyzed survey responses from 250 IT and
security professionals, combined with anonymized empirical data from Salt
customers, highlights a lack of API security maturity and posture governance
across organizations, leading to a rise in API security incidents and attack
traffic.
The
research found that almost all (95%) survey respondents experienced security
problems in production APIs, with 23% suffering breaches as a result of API
security inadequacies. The volume of APIs within organizations is also
accelerating, with Salt customer data showing a 167% increase in API counts
over the past 12 months, and nearly two-thirds (66%) of survey respondents
indicating that they are managing more than 100 APIs. With increased API usage,
comes an expanded API attack surface putting malicious activity on the
rise.
The
2024 report also highlights the ongoing lack of API security maturity. Only
7.5% of organizations consider their API security programs to be ‘advanced' and
alarmingly, over one-third (37%) of the respondents, who have APIs running in
production, do not have an active API security strategy in place. Despite this,
nearly half (46%) of respondents stated that API security is a c-level
discussion within their organization.
According
to the research, API posture governance strategies, which provide a structured
framework for managing and securing the entire API ecosystem from design to
deployment, also remain a relatively new phenomenon. Only 10% of organizations
currently have an API posture governance strategy in place. However, realizing
its critical importance, almost half (47%) plan to implement such a strategy
within the next 12 months. By deploying and implementing a robust API posture
governance engine, organizations can gain complete visibility into their API
landscape, eliminate blind spots, and establish corporate-wide security
standards and regulations across their entire API ecosystem.
"The
volume of APIs within organizations are showing no sign of decline, and
security teams are struggling to keep pace with the sheer breadth and depth of
modern API ecosystems," said Roey Eliyahu, co-founder and CEO, Salt Security.
"As illustrated by the findings of our research, attackers are continuing to
take advantage of this, leveraging weak spots within APIs to execute malicious
attacks and gain access to company and customer data. With bad actors
constantly refining their tactics to discreetly launch API attacks, often
through legitimate means, it requires organizations to take a more
sophisticated approach to securing APIs. One that encompasses strong API
discovery capabilities, a posture governance strategy, and the ability to
quickly and efficiently detect active threats and malicious API traffic."
Additional
key findings from the 2024 State of API Security Report include:
The threat of API attacks is growing
The
research revealed that API security incidents are on the rise.
- API security incidents more
than doubled within the past 12 months, with 37% of respondents
experiencing an incident, compared to just 17% in 2023.
- Salt Labs analysis of customer
data found that attackers are using a diverse range of tactics, with a
significant portion bypassing authentication protocols. Almost two-thirds
(61%) of attacks are unauthenticated.
- Internal APIs are also
vulnerable, with 13% of attack attempts explicitly targeting them.
Zombie APIs remain a top concern amongst respondents
Respondents
expressed high levels of concern about the potential risks associated with
"Zombie" APIs - the outdated, forgotten APIs within ecosystems.
- An alarming 70% highlight
Zombie APIs as a great or strong concern, up from 54% in 2023.
- Account takeover and denial of
service top the second and third concern, respectively.
API discovery remains a challenge
API
discovery was highlighted as an ongoing hurdle for many organizations.
- Only 58% of organizations have
processes in place to discover APIs across their infrastructure.
- Less than 15% of respondents
are very confident that they understand which APIs expose personal
identifiable information (PII).
Traditional methods are insufficient for protecting against modern
attacks
- Only 21% of respondents believe
that their current API security approaches are effective in protecting
against API attacks, signaling issues with existing methods.
- API gateways (54%), analyzing
log files (45%) and web application firewalls (WAFs) (42%) are the most
common tools organizations are leveraging to detect and prevent malicious
API activity but remain insufficient and lack user confidence.
API updates take place more frequently and organizations struggle
to keep pace with documentation
The
rapid change of APIs, combined with the increasing use of AI-generated APIs,
has rendered traditional documentation methods obsolete.
- Over a third of organizations
update their APIs at least once a week (38%), and a significant portion
(13%) make daily updates.
- Only 12% of respondents feel
very confident in the accuracy of their API inventory, highlighting a
widespread lack of trust in security posture.
Attackers are following OWASP Top 10
A
large percentage of API attacks target well-known security weaknesses outlined
in the OWASP API Security Top 10 list.
- 80% of attack attempts leverage
one or more of the Top 10 methods outlined on the list.
- Despite this established
knowledge base, only 58% of organizations prioritize protection against
the API threats outlined by OWASP.
The State of API
Security Report, 2024, was compiled by researchers from Salt Labs, the research division of
Salt Security, utilizing survey data from nearly 250 respondents across a range
of job responsibilities, industries, and company sizes, globally. 20% of
respondents were executive-level security or IT leaders, and another 18% within
platform or DevOps teams. Technology and financial services companies-widely
viewed as the forefront of API usage -comprised 37% of respondents. Companies
large and small were evenly represented. The report also includes real-world
API attack attempt data from the Salt Security API Protection Platform. This
customer data is anonymized, aggregated, and then analyzed by Salt's
researchers to identify critical trends that can help educate the broader
security industry.