A new study reveals that 95 percent of respondents have experienced security problems in production APIs, with 23 percent suffering breaches as a result of API security inadequacies.
API security incidents have more than doubled within the past 12 months, with 37 percent of respondents experiencing an incident, compared to just 17 percent in 2023.
The report from Salt Security shows the volume of APIs within organizations is also accelerating, with Salt customer data showing a 167 percent increase in API counts over the past 12 months and 66 percent of survey respondents saying that they are managing more than 100.
Only 7.5 percent of organizations consider their API security programs to be ‘advanced’. Alarmingly, 37 percent of the respondents, who have APIs running in production, do not have an active API security strategy in place. Despite this, 46 percent of respondents state that API security is a C-level discussion within their organization.
Just 10 percent of organizations currently have an API posture governance strategy in place. However, realizing its critical importance, almost half (47 percent) plan to implement such a strategy within the next 12 months.
“The volume of APIs within organizations are showing no sign of decline, and security teams are struggling to keep pace with the sheer breadth and depth of modern API ecosystems,” says Roey Eliyahu, co-founder and CEO of Salt Security. “As illustrated by the findings of our research, attackers are continuing to take advantage of this, leveraging weak spots within APIs to execute malicious attacks and gain access to company and customer data. With bad actors constantly refining their tactics to discreetly launch API attacks, often through legitimate means, it requires organizations to take a more sophisticated approach to securing APIs. One that encompasses strong API discovery capabilities, a posture governance strategy, and the ability to quickly and efficiently detect active threats and malicious API traffic.”
Respondents express high levels of concern about the potential risks associated with ‘zombie’ APIs — the outdated, forgotten APIs within ecosystems. 70 percent highlight zombie APIs as a great or strong concern, up from 54 percent in 2023. Account takeover and denial of service are the second and third greatest concerns.
Speed of updates is an issue too, over a third of organizations say they update their APIs at least once a week (38 percent), and a significant portion (13 percent) make daily updates. Only 12 percent of respondents feel very confident in the accuracy of their API inventory, highlighting a widespread lack of trust in security posture.
The full State of API Security Report 2024 is available from the Salt site.
Image credit: Alexandersikov / Dreamstime.com
