Uncovering API Security gaps: Key takeaways from 2024 Salt Labs Report

API security has emerged as a critical concern for organizations worldwide. As applications increasingly rely on APIs for functionality and integration, the risks associated with API vulnerabilities have grown exponentially. In this episode, Eric Schwake, Director of Cybersecurity Strategy at Salt Security, discusses the findings from the Salt Labs State of API Security Report, 2024. He highlights the growing need for comprehensive API security measures to address emerging threats such as AI-generated APIs and the gaps in current practices and solutions.

Here are the key takeaways from this video interview:

Salt Security’s latest State of API Security Report

Schwake discusses Salt Security’s latest report, which provides an overview of the current state of API security, based on responses from approximately 250 security professionals.
The report aims to shed light on the challenges and concerns faced by organizations, particularly those new to API security.
It also highlights a lack of API security maturity and posture governance across organizations, leading to a rise in API security incidents and attack traffic.

Doubling of API attacks

One of the most alarming findings from the report is the near doubling of API attacks in the past year. About 37% of organizations reported experiencing some form of API attack, a significant increase from previous years.
Despite this surge in attacks, only around 7.5% of respondents indicated they have advanced API security solutions in place. This discrepancy highlights the ongoing lack of API security maturity.

Zombie APIs remain a top concern amongst organizations

A major concern for many organizations is the lack of visibility into their API ecosystems. Approximately 70% of respondents expressed worries about “Zombie” APIs — the outdated, forgotten APIs within ecosystems.
Even more troubling is that only 60% have effective mechanisms for discovering these APIs. Without proper visibility, securing the API landscape becomes an almost insurmountable challenge.

Traditional Security measures insufficient against sophisticated API threats

While many organizations rely on traditional security tools like API gateways and Web Application Firewalls (WAFs), these measures are often insufficient against sophisticated API threats.
Schwake points out that while such tools might handle standard threats, they fall short in addressing more advanced attacks.
There is a pressing need for more specialized solutions that can offer deeper protection.

Rise of AI-Generated APIs

Schwake highlights the fact that organizations are struggling to understand their API ecosystem and mitigate risks associated with AI-generated APIs.
Adding to the complexity is the rapid proliferation of AI-generated APIs. These APIs can be created in minutes, significantly increasing the number of APIs within an organization’s ecosystem.
Schwake points out that this rapid growth not only exacerbates the visibility issue but also introduces new security challenges that traditional measures may not adequately address.

Growing Market Awareness

There is a growing recognition of the need for dedicated API security platforms.

Market analysts, including firms like Gartner, are actively highlighting the importance of API security, driving greater awareness and adoption.
Schwake notes that this increased focus is helping to shift the conversation towards more proactive security measures.

The Role of CISOs

API security is becoming a critical concern at the highest levels of organizational leadership. CISOs, in particular, are increasingly involved in API security strategy.
To better guard their organizations against API-related threats, CISOs should:

Understand the API Ecosystem: Conduct thorough discovery to identify all APIs within the organization’s ecosystem.
Implement Posture Governance: Develop and enforce posture governance rules that align with compliance requirements, such as PCI or HIPAA.
Enhance Security Measures: Strengthen existing investments in security tools by integrating advanced API security platforms capable of addressing sophisticated threats.
By adopting advanced solutions and involving key stakeholders like CISOs, organizations can better navigate the evolving threat landscape and safeguard their API ecosystems against emerging threats.

Guest: Eric Schwake (LinkedIn)
Company: Salt Security (Twitter)
Show: Let’s Talk

This summary was written by Monika Chauhan.

Uncovering API Security gaps: Key takeaways from 2024 Salt Labs Report

Why enterprise customers are moving away from Oracle Java

LimaCharlie bridges Cybersecurity gaps with accessible, scalable cloud solutions

Why enterprise customers are moving away from Oracle Java

LimaCharlie bridges Cybersecurity gaps with accessible, scalable cloud solutions

You may also like

JDK 26 Delivers Performance Gains for Containerized Java Workloads Despite No LTS Status | TFiR

Envoy Has an Extensibility Problem. Tetrate’s Built on Envoy Marketplace Is Here to Fix It | TFiR

Egress Costs Are Killing Distributed Streaming Apps—Here’s the Fix | Prenil Kottayankandy, Akamai | TFiR

Enterprise Linux Add-On Pricing Is Broken. CIQ’s Brady Dibble Says There’s a Better Way | TFiR

Why Static Code Scanners Fail at Runtime—And What Security Leaders Should Do | Joe Sullivan, Joe Sullivan Security | TFiR

API Security in 2026: Why AI Security Is Fundamentally API Security