Highlights –

  • The number of API attack attempts increased from an average of 12.22M malicious calls per month one year ago to an average of 26.46M calls this past June, with malicious API traffic making up 2.1% of the total traffic.
  • API updates are becoming more frequent: 11% of respondents update their APIs daily, 31% do it weekly, and 24% less frequently than monthly.

Salt Security, the top API security provider, announced the release of the Salt Labs State of API Security Report, Q3 2022. The bi-annual report’s recent edition indicated that 94% of survey participants had security issues with production APIs in the previous year, and 20% reported that their firms suffered a data breach because of security flaws in APIs. The research also discovered that API attack traffic doubled over the past 12 months. The findings show that shift-left strategy-focused API security techniques and current solutions fail to safeguard APIs appropriately.

Empirical data from the Salt Security Cloud Service and survey responses were combined to create the State of API Security Report. According to the Q3 2022 report, Salt customers saw a 117% rise in API attack traffic, while their overall API traffic increased by 168%, emphasizing the ongoing expansion in enterprise API usage. The number of API attack attempts increased from an average of 12.22M malicious calls per month one year ago to an average of 26.46M calls this past June, with malicious API traffic making up 2.1% of the total traffic. Around 44 % of Salt customers experienced an average of 11 to 100 attack attempts per month, while 34% experienced more than 100, and eight percent experienced more than 1,000.

Roey Eliyahu, Co-founder and CEO of Salt Security, said, “The backbone of our modern economy, digitalization has made organizations increasingly reliant on APIs to deliver new services and better compete. This focus on digital innovation, however, has also put a target on these organizations, as this research makes clear. With API attacks accelerating year over year, it’s no wonder our survey shows security as the top concern about API strategies. The report findings also show the need for a more robust API security strategy – starting with development but especially focused on runtime – to better protect this expanding attack surface and companies’ most valuable assets.”

Since 61% of survey participants currently manage over 100 APIs, creating a robust API security policy is essential. Companies have zero tolerance for deployment delays or rollbacks since major enterprise projects are intimately related to API usage. However, more than 50% of survey participants said they have put off launching new applications due to API security worries.

The most important API security capability cited was the ability to prevent attacks, and the lowest rated was applying shift-left practices

When questioned about which of six attributes of API security platforms are “highly important,” the capacity to prevent attacks ranked first, with 41% citing it. The ability to determine which APIs expose PII or sensitive data came in second; about 40% of respondents indicated it to be highly critical. Third place went to fulfilling legal or regulatory requirements, with 39% of respondents. Only 22% of respondents rated applying shift-left techniques important, placing it at the bottom of the list.

Excessive dependence on “shift left” practices may contribute to the failure of enterprises

Organizations and their APIs continue to be exposed to shift-left tactics alone. A staggering 94% of respondents reported experiencing API security events, indicating a need for improved runtime protection. Further, 53% of respondents concentrated on filling up holes during development, and 59% looked for API concerns in testing. Only 30% of this most recent survey respondents claim to discover and fix runtime API security flaws. However, organizations need runtime protection capabilities to safeguard what is already operational in their environments completely.

Security concerns delay new application action rollouts for many

More than half, 54% of those polled, said they had to delay the release of new applications due to API security worries. Sensitive PII data leaks are frequently caused by poor API design and security procedures. The survey results confirm this complexity: Nearly a third of respondents said they’ve experienced sensitive data exposure or a privacy incident within their API production over the past year, a significant increase from last year’s 19%. About 19% of APIs in the Salt customer base have been exposed to some PII or sensitive data; therefore, businesses must understand how and where data is delivered so they can take extra precautions to safeguard those APIs.

“Zombie” APIs and security concerns can be significant worries

The top two issues with respondents’ API strategies were a lack of investment in pre-production security (20%) and a lack of proper attention to runtime security (18%). When asked what security threats were most troubling, 42% mentioned outdated or “zombie” APIs. In the last four Salt polls, zombie APIs have been the top concern, most likely as a result of rapid development occurring as businesses try to get the most out of APIs. The unintentional disclosure of sensitive information and account takeover combined for the second-highest concerns, at 15% each, followed by fears of “shadow” or unidentified APIs, which increased from 5% to 11% in the previous six months.

API Gateways and WAFs unable to capture API attacks

Respondents predominantly use conventional solutions to manage APIs and defend against application threats. Most responders use API gateways (54%) and WAFs (44%) to detect attacks. The findings that 94% of respondents had an API security incident and 82% don’t think their current tools are particularly successful at avoiding API attacks highlight the shortcomings of these conventional technologies.

Multiple (solvable) issues are hindering robust API security strategies

A sizable majority of respondents (61%) acknowledged they lack or have only a minimal API security policy in place, which is a cause for concern in light of the heavy reliance on APIs for accomplishing crucial business objectives. Even as all survey respondents had APIs running in production, a startlingly low fraction (nine percent) of them claimed to have an advanced API strategy that includes specialized API testing and protection. Budget (24%), knowledge (20%), resources (19%), and time (11%) were the main barriers to implementing a solid API strategy.

Implications for API security

The Q3 2022 survey results from the State of API Security Report are evident. Most respondents claimed that their dependence on APIs is increasing as they become more crucial to the success of their organizations. However, current security procedures and tools cannot keep up with emerging API protocols and attack patterns. These findings are supported by API traffic patterns and usage patterns within the Salt clientele. In place of outdated security practices and solutions, organizations must adopt a modern security strategy that addresses security at every stage of the API lifecycle and offers a wide range of protections that promotes team cooperation.

Researchers at Salt Labs, the research arm of Salt Security, created the State of API Security Report, Q3, 2022, using survey data from more than 350 respondents with various job responsibilities, industries, and firm sizes. About half of those surveyed, 49% work in security, 19% are executive-level IT or security leaders, and another 21% are members of the platform, DevOps, or product teams. Companies in the technology and financial services industries, renowned for being at the forefront of API use, account for 47% of respondents. Along with anonymized and aggregated empirical data from Salt Security customers gathered through the Salt Security API Protection Platform, both big and small businesses are equally represented.