Salt Security has released the Salt Labs State of API Security Report, Q1 2022. In its latest version, the bi-annual report found that 95% of surveyed organisations have experienced an API security incident in the past 12 months. Despite the dramatic increase in attacks and incidents, these organisations, all of whom are running production APIs, remain unprepared for API attacks, with 34% of respondents lacking any kind of API security strategy. This lack of defence presents significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernisation efforts.
The State of API Security Report pulls from a combination of survey responses and empirical data from the Salt SaaS cloud platform. Attempted attacks against Salt customers, blocked by our platform, grew steeply – malicious API traffic increased 681% compared to a 321% increase in overall API traffic. Understandably, 62% of survey respondents acknowledged slowing down the rollout of a new application because of API security concerns.
“To thrive today, every company must be a software company, and APIs reside at the heart of their application innovation. Digital businesses have emerged as the leaders of our modern economy, and at the same time, they’ve become the leading targets for bad actors,” said Roey Eliyahu, co-founder and CEO, Salt Security. “We’re seeing API attacks accelerating significantly year over year. Even more concerning, the pace of growth in API usage and attacks continues to outpace enterprise readiness and defences. Organisations must invest the time and effort to understand the API attack landscape and the critical capabilities needed to protect their most vital assets.”
With nearly every survey respondent (95%) identifying an API security incident in their production APIs, the need to devise a robust API security strategy is urgent. Salt customers also experienced increasing frequency in attacks, with 12% enduring an average of more than 500 attacks every month.
“APIs present an attractive attack vector, despite organizations’ best efforts to validate APIs before releasing them into production,” said Michael Isbitski, Technical Evangelist, Salt Security. “Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk.”
Security concerns top the list of worries about API strategies, at 40%
Survey respondents have a variety of concerns about their companies’ API programmes, with 40% citing security as their leading worry. Insufficient investment in pre-production security takes the top spot, at 22%, and another 18% of respondents are concerned that the programme doesn’t adequately address runtime or production security. Insufficient investment in fleshing out requirements and documentation is the leading concern for 19% of respondents.
Most enterprises are unprepared for an API attack
Highly publicised security incidents and pleas from security professionals to implement API security protections have not been enough to drive the majority of organisations to adopt effective API security strategies. Among survey respondents, 34% have no strategy in place, and slightly more than a quarter (27%) have just a basic strategy. Only 11% have an advanced strategy that includes dedicated API testing and protection.
Findings also support the notion that budget and skills gaps play a role in this lack of preparedness. Lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles for implementing an optimal API security strategy.
An overreliance on “shift left” practices continues to fail the enterprise
With runtime protection being fundamental to effective API protection and 95% of respondents having experienced an API security incident within the last year, “shift left” tactics for API security are proving inadequate. This issue is magnified as IT teams continue to be divided over “ownership” of API security. More than half of survey respondents say the primary responsibility sits with developers, DevOps, or DevSecOps. Only 31% of respondents put the responsibility of API security onto AppSec or InfoSec teams.
WAFs and API Gateways continue to miss API attacks
Reliance on traditional security and API management tools, such as web application firewalls (WAFs) and API gateways, has left many organisations with a false sense of security. With 95% of respondents having experienced an API security incident in the last year, the fact that 55% are relying on alerts from gateways and 37% are using WAFs to identify attackers shows the gap in capabilities. Reliance on log file analysis (45%) for API security is similarly ineffective – by the time log files are parsed through, attackers are long gone with the valuable data and payloads they sought.
Stopping API attacks remains top criterion for an API security platform
For the third time in a row, more respondents (42%) cited stopping API attacks as the most important capability they seek in an API security platform. Identifying which APIs expose personal identifiable information (PII) and sensitive data follows as a close second (41%). The ability to harden APIs over time came in third (38%), and meeting compliance or regulatory requirements came in fourth (36%).
Additional findings from the State of API Security Report:
- The risk of “zombie” or outdated APIs tops the list of API security concerns, with 43% of respondents citing it as their top worry. Account takeover came in second, with 22% focused on that risk as their biggest concern.
- API changes are on the rise – 9% of respondents update their APIs every day, 31% do so weekly, and 24% update less often than every month.
- 94% of exploits within the Salt customer base happen against authenticated APIs.
- 86% of respondents lack the confidence that they know which APIs expose sensitive data.
- 85% of respondents noted that their current tools are ineffective in stopping API attacks.
- 83% of respondents lack full confidence in their API inventory.
API security is improving how security teams work
Although organisations are highly disparate in their perspective on who should bear responsibility for API security, collaboration and shared input between Security and DevOps teams are rising. More than a third of respondents (34%) say that security teams collaborate more with DevOps as a result of addressing API security, and another 30% state that DevOps seeks input from security teams to shape API guidelines. Another 25% of organisations are embedding security engineers within DevOps teams in response to the challenge. The survey also found that more security teams are highlighting the OWASP API Top 10 list of threats – 61% in this report vs. 50% six months ago, a positive change for improving API security practices across an organisation.
The State of API Security Report, Q1 2022 was compiled by researchers from Salt Labs, the research division of Salt Security, utilising survey data from more than 250 security, application and DevOps executives and professionals in addition to anonymised and aggregated empirical data from Salt Security customers obtained through the Salt Security API Protection Platform.
As part of its ongoing commitment to education, Salt Security will host the industry’s first API Security Summit on March 3, 2022, to equip the community to better address growing API security challenges.
To register, click here. To learn more about Salt Security or to request a demo, please visit https://content.salt.security/demo.html.