95% of Companies Faced API Security Problems in the Last Year: Salt Security Study

• A recent Salt Security study has highlighted the API problems companies face due to rapid innovation, especially when it comes to unprecedented growth in API usage.
• One key finding is that more companies are facing API security incidents and attack traffic.

While rapid innovation benefits organizations in several ways, it also poses challenges in certain areas. A recent Salt Security study has highlighted the API problems companies face due to rapid innovation, especially when it comes to unprecedented growth in API usage.

Salt Security analyzed responses from about 250 IT and security professionals, combined them with anonymized empirical data from its customers, and released its Salt Labs State of API Security Report 2024. A key finding is that companies lack API security maturity and posture governance, which has led to increased API security incidents and attack traffic.

The following are a few more insights from the studyOpens a new window .

See more: Critical Mass: Why We Need to Assess API Security Maturity

Companies Face API Security Challenges

According to the study, a whopping 95% of respondents experienced security problems in production APIs, and about 23% suffered from breaches due to API security inadequacies. The volume of APIs within companies is also huge. Salt customer data showed a 167% increase in API counts within the last year, and about 66% of respondents reported managing over 100 APIs. The increased API usage leads to an expanded attack surface, which, in turn, leads to increased malicious activity.

The number of companies experiencing an attack more than doubled in a year, rising from 17% last year to 37% this year. Threat actors are employing various methods to attack APIs, with 61% of attacks bypassing authentication altogether. Even internal APIs are prone to attacks, with 13% of incidents specifically targeting them. Despite this, only 58% of companies have processes to discover APIs across their infrastructure.

The study further found that Zombie APIs, forgotten and outdated parts of software systems, are also a major concern for companies. About 70% of respondents rated them a high concern, up from 54% last year. This exceeds traditional security threats like denial-of-service (DoS) attacks and account takeover, making Zombie APIs a top security concern.

Lack of API Security Maturity Exists

The report also highlighted the lack of API security maturity across companies. Only 7.5% of respondents considered their API security programs “advanced.” About 37% of respondents with APIs running in production don’t have an active API security strategy. Despite this, 46% said API security was a C-level discussion in their company.

Additionally, the research found that API posture governance strategies are a relatively new phenomenon, with only 10% of companies having them. These strategies provide a structured framework for securing and managing the entire API ecosystem. More companies are realizing their importance, and 47% plan to implement such strategies within the next year.

See more: How to Protect Your Business from the Next API Breach

Rapid API Updates Outpace Traditional Documentation

The study found that rapid API updates are outpacing traditional documentation methods. About 38% of organizations update APIs weekly, while 13% do it daily, making accurate documentation a struggle. This rapid change, fuelled by AI-generated APIs, left 88% of organizations unsure of their API inventory, leading to increased concerns about the overall security posture. Despite this, traditional safeguards are not up to the mark.

Key Takeaways

The study found that reliance on APIs is growing as they become more crucial to a company’s success. However, they are getting harder to protect, as many companies lack proper API security measures. Further, traditional processes and tools can’t keep up with new attack trends.

Companies should move away from traditional security practices toward modern strategies that address security at every stage of the API lifecycle and provide a broad range of protection.

Here are a few recommendations for companies.

• Define a robust API security strategy
• Assess your current level of risk
• Enable frictionless API security across all your application environments
• Focus on robust runtime security
• Shift left with API posture governance for comprehensive security

By ensuring APIs are developed with security in mind from the beginning, companies can significantly reduce the attack surface and the risk of attacks.

MORE ON APIS

• AI, API Documentation, & OpenAPI Playbooks – API Summit 2024 Takeaways
• API Security in the AI Era: Challenges and Innovations
• The Future of Business IT Integrations: Strategic Costs and Value of APIs
• The Developer Experience: How APIs Can Make or Break Your Workflow