According to the Salt Labs State of API Security Report, Q1 2023, released by Salt Security, attackers have upped their activity, with Salt customer data showing a 400% increase in unique attackers in the last six months. In addition, about 80% of attacks happened over authenticated APIs. Not surprisingly, nearly half (48%) of respondents now state that API security has become a C-level discussion within their organization.
The report also revealed that 94% of survey respondents experienced security problems in production APIs in the past year, with 17% stating their organizations suffered a data breach as a result of security gaps in APIs. The findings from Salt Labs highlight why 2023 has been dubbed the “Year of API Security.”
API security has emerged as a significant business issue, not just a security problem.
API security has become a critical business issue for survey respondents’ organizations, as indicated by application rollout delays, heightened awareness of API security breaches, and a lack of confidence in existing API security approaches. Specifically:
- More than half of respondents (59%) report they have had to slow the rollout of new applications because of API security concerns.
- Just 23% of respondents believe their existing security approaches are very effective at preventing API attacks.
- 48% of survey respondents say that API security has become a C-level discussion over the past year. That percentage runs even higher within heavily regulated industries, such as Technology (59%), Financial Services (56%), and Energy/utilities (55%).
The top two most valued API security capabilities are to stop attacks and identify PII exposure. The ability to implement shift-left practices rated the lowest. Survey respondents cited the following as the most “highly important” API security capabilities:
- 44% cited the ability to stop attacks.
- 44% cited the ability to identify which APIs expose PII or sensitive data.
- 38% cited meeting compliance or regulatory requirements.
- 22% cited the ability to implement shift-left API security practices.
Salt customer data shows that API attacks are on the rise and bad actors are targeting internal and authenticated APIs.
When asked about the most concerning API security risks:
- 54% of respondents said outdated or “zombie” APIs are a high concern, up from 42% from last quarter. (Zombie, or outdated, APIs have been the #1 concern in the past five surveys from Salt, likely the result of increasingly fast-paced development as organizations seek to maximize the business value associated with APIs.)
- 43% stated account takeover (ATO) as a high concern.
- Only 20% cited shadow APIs as a top concern. Given API documentation challenges, it is likely most environments are running APIs that are not documented and that the risk in this area is likely higher than many respondents realize.
The survey found that the vast majority of organizations still lack mature API security programs:
- Only 12% of respondents consider their API security programs to be advanced and include dedicated API testing and runtime protection, up from 10% in Q3 2022.
- 30% of respondents have no current API security strategy, despite all respondents having production APIs in place. Of those, 25% say they’re in planning stages, while 5% say API security plans are non-existent.