Salt Security “State of API Security” Report Finds API Attack Traffic has Grown at Triple the Rate of Overall API Traffic
July 2021 by Salt Security
Salt Security released the Salt Labs State of API Security Report, Q3 2021. The latest edition, compiled six months after the company’s inaugural report, reveals significant challenges in addressing API security, with all Salt customers experiencing API attacks, security topping the list of API program concerns, and very few respondents feeling confident they can identify and stop API attacks. In the past six months, Salt customer data shows overall API traffic has increased 141% – in the same time period, API attack traffic grew a staggering 348%. The sobering report findings illustrate the security consequences of the rapid growth in API use driven by digital transformation and IT modernization projects.
“APIs and the valuable data they access are linchpins of today’s data- and application-centric economy. Yet APIs remain one of the most vulnerable elements of any organization’s application or software stack,” said Roey Eliyahu, co-founder and CEO, Salt Security. “Anecdotally, we know we find critical security vulnerabilities in the APIs of 90% of the prospects we support. This report quantifies those anecdotal findings, highlighting the API security risks companies are living with everyday. As API adoption and traffic has accelerated, so have the security risks. APIs are meant to enable innovation, not stifle it, as we’re seeing in this report.”
Organizations rely on APIs for a broad range of business-critical initiatives. This latest edition of the State of API Security Report found that 61% of survey respondents use APIs for platform or system integrations, 52% use them to drive digital transformation, and 47% use them to standardize or improve the efficiency of application and software development. These critical initiatives are suffering set-backs, however, with 64% of respondents delaying application rollouts as a result of API security concerns.
“APIs can be the weakest link in an organization’s application security chain, especially since traditional tooling such as WAFs and API gateways can’t protect against the API attacks frequently carried out today,” said Michael Isbitski, Technical Evangelist, Salt Security. “Several factors – including growing API usage, faster application and software development cycles, and increased hacker targeting – contribute to increasing risk for API-first organizations.”
Security remains the leading concern in API programs
Among the potential concerns respondents might have about their API programs – from impact on application delivery to documentation to pre-production security to testing – security topped the list. Worries over a lack of pre-production security was the leading response (26%), followed closely by concerns about the program not adequately addressing runtime security (20%). The next closest area of concern hit considerably lower on the list – not driving enough observability and control (14%).
Viewing API security as a “shift left” problem is failing
“Developers write APIs, so they should be responsible for securing APIs.” This perspective actually increases organizational risk. More than half of survey respondents put responsibility for API security on the API team, developers, and DevOps teams – at the same time, 94% of respondents have experienced an API security incident in the past 12 months. No one writes perfect code, and most need to see APIs in action in runtime to see business logic flaws. Remediation insights that help developers improve APIs are crucial but they’re not the full answer.
WAFs and API Gateways continue to miss API attackers
Nearly half of respondents are trying to identify API attackers via their WAF or API gateway, and 12% admit they have no way to identify an API attacker. Every Salt customer has a WAF, and every Salt customer suffers multiple API attacks every month. API attacks are different from application attacks, following no preset pattern and not triggering alerts from any traditional tooling because any single API transaction in an attack typically looks legitimate. IT teams need context that WAFs and API gateways lack to identify and stop API attackers.
62% of organizations have no or just a basic strategy in place for API security
Every organization in this latest survey has dozens of APIs in production, but only 38% have more than a basic security strategy for their API program. More than a quarter have no strategy at all. What’s keeping these organizations from crafting a robust plan? A lack of resources/people (30%) and budget constraints (24%) are the top limiting factors.
Additional findings from the State of API Security Report:
40% of respondents cite the risk of “Zombie APIs” as their top concern, nearly triple the number who cite account takeover as the top concern.
85% of respondents have some doubt about the completeness of their API inventory.
55% percent of respondents cite runtime protection as the top priority for API security and the most highly valued attribute of an API security platform.
85% of respondents lack confidence that they know which APIs expose sensitive data.
API Security Practices Are Evolving – For the Better
Findings from the report also highlight that approaches to API security are changing as collaboration between security and DevOps teams increases. One-third of respondents cited security as a primary reason for partnering with their peers, and only 9% saw no change in how security teams are conducting their work around API security requirements.
When survey respondents were asked about how API security is creating changes in how security professionals do their job, the majority was split with 34% agreeing that security must collaborate more with DevOps teams and 34% noting security engineers are getting embedded within DevOps teams.
The State of API Security Report, Q3 2021, was compiled by researchers from Salt Labs, the research division of Salt Security, utilizing survey data from more than 200 security, application and DevOps professionals as well as anonymized and aggregated empirical data from Salt Security customers obtained through the Salt Security API Protection Platform.