Majority of organizations have experienced an API security incident in the past 12 months, with the pace of growth in API usage and attacks continuing to outpace enterprise readiness. According to the Salt Labs State of API Security Report, Q1 2022, these organizations, all of whom are running production APIs, remain unprepared for API attacks, with 34% of respondents lacking any kind of API security strategy.
This lack of defense presents significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernization efforts.
The State of API Security Report pulls from a combination of survey responses and empirical data from the Salt SaaS cloud platform. Attempted attacks against Salt customers, blocked by our platform, grew steeply – malicious API traffic increased 681% compared to a 321% increase in overall API traffic. Understandably, 62% of survey respondents acknowledged slowing down the rollout of a new application because of API security concerns.
With nearly every survey respondent (95%) identifying an API security incident in their production APIs, the need to devise a robust API security strategy is urgent. Salt customers also experienced increasing frequency in attacks, with 12% enduring an average of more than 500 attacks every month.
The report added that highly publicized security incidents and pleas from security professionals to implement API security protections have not been enough to drive the majority of organizations to adopt effective API security strategies. Among survey respondents, 34% have no strategy in place, and slightly more than a quarter (27%) have just a basic strategy. Only 11% have an advanced strategy that includes dedicated API testing and protection.
Findings also support the notion that budget and skills gaps play a role in this lack of preparedness. Lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles for implementing an optimal API security strategy.
“APIs present an attractive attack vector, despite organizations’ best efforts to validate APIs before releasing them into production,” said Michael Isbitski, Technical Evangelist, Salt Security. “Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk.”