Salt Security released the results of its API security report titled, “The State of API Security – Q1 2021.” Among its findings, the report revealed that 66% of organizations admit to having slowed the rollout of a new application into production because of API security concerns. In addition, 54% of organizations running production APIs have at best only a basic strategy for API security, with 27% having no strategy at all. The report combines survey results with customer data from Salt’s API security SaaS service, and the findings make clear that, despite the critical role APIs have in enabling revenue and innovation, companies of all sizes lack sufficient API security.
Nearly all respondents (91%) experienced an API security incident last year
Respondents identified API security problems found in their organization’s production APIs, and 91% had suffered a problem last year. Vulnerabilities (54%) and authentication issues (46%) topped the list, followed by bot/scraping (20%) and denial of service attacks (19%). Finding a vulnerability in a production API means that pre-production vetting, while crucial, cannot prevent vulnerabilities from making their way into production rollouts. Furthermore, Salt customer data showed the number of API attacks per month per customer increased from 50 last June to nearly 80 by December. Given the rate of incidents, it’s not surprising to see 66% of companies have delayed rollouts.
More than a quarter of organizations running production APIs have no API security strategy
As DevOps has emerged, security teams are frequently required to play catch-up, with more than a quarter of organizations running critical API-based applications with no security strategy and another 27% of organizations having only a basic strategy for API security. In addition, while more than two thirds of respondents note that security teams have been highlighting the OWASP API Security Top 10 threats, teams still do not have a plan in place for securing APIs.
Salt Security compiled anonymized customer data and survey responses from nearly 200 security, application, and DevOps professionals to create this report. Survey respondents came from companies of all sizes—ranging from fewer than 100 employees to more than 10,000—and represented the following industries: Education, Energy/Utilities, Entertainment, Federal Government, Financial Services, Healthcare, Manufacturing, Media and Technology. Respondent functional roles included Application Security, Security Architect, DevOps, API Platform, Product, CIO/C-Level, CISOs, and others.
