Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity News

API attacks increased 681% in the last 12 months

By Security Staff
DevOps-freepik1170x658x5.jpg
March 2, 2022

The majority (95%) of organizations have experienced an API security incident in the past 12 months, according to Salt Security’s Salt Labs State of API Security Report, Q1 2022.


Despite the dramatic increase in attacks and incidents, these organizations, all running production APIs, remain unprepared for API attacks, with 34% of respondents lacking an API security strategy, which presents a significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernization efforts.


Attempted attacks against survey respondents grew steeply — malicious API traffic increased 681% compared to a 321% increase in overall API traffic. Understandably, 62% of survey respondents acknowledged slowing down the rollout of a new application because of API security concerns.


With nearly every survey respondent (95%) identifying an API security incident in their production APIs, the need to devise a robust API security strategy is urgent. Survey respondents also experienced an increasing frequency in attacks, with 12% enduring an average of more than 500 attacks every month.


“APIs present an attractive attack vector, despite organizations’ best efforts to validate APIs before releasing them into production,” said Michael Isbitski, Technical Evangelist, Salt Security. “Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk.”


Security concerns top the list of worries about API strategies, at 40%

Survey respondents have various concerns about their companies’ API programs, with 40% citing security as their leading worry. Insufficient investment in pre-production security takes the top spot, at 22%, and another 18% of respondents are concerned that the program doesn’t adequately address runtime or production security. Insufficient investment in fleshing out requirements and documentation is the leading concern for 19% of respondents.


Most enterprises are unprepared for an API attack

Highly publicized security incidents and pleas from security professionals to implement API security protections have not been enough to drive most organizations to adopt effective API security strategies. Among survey respondents, 34% have no strategy in place, and slightly more than a quarter (27%) have just a basic strategy. Only 11% have an advanced strategy that includes dedicated API testing and protection.


Findings also support the notion that budget and skills gaps play a role in this lack of preparedness. Lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles to implementing an optimal API security strategy.


An overreliance on “shift left” practices continues to fail the enterprise

With runtime protection being fundamental to effective API protection and 95% of respondents having experienced an API security incident within the last year, “shift left” tactics for API security are proving inadequate. This issue is magnified as IT teams continue to be divided over “ownership” of API security. More than half of survey respondents say the primary responsibility sits with developers, DevOps, or DevSecOps. Only 31% of respondents put the responsibility of API security onto AppSec or InfoSec teams.


WAFs and API Gateways continue to miss API attacks

Reliance on traditional security and API management tools, such as web application firewalls (WAFs) and API gateways, has left many organizations with a false sense of security. With 95% of respondents having experienced an API security incident in the last year, the fact that 55% are relying on alerts from gateways and 37% are using WAFs to identify attackers shows the gap in capabilities. Reliance on log file analysis (45%) for API security is similarly ineffective — by the time log files are parsed through, attackers are long gone with the valuable data and payloads they sought.


Stopping API attacks remains top criterion for an API security platform

For the third time in a row, more respondents (42%) cited stopping API attacks as the most important capability they seek in an API security platform. Identifying which APIs expose personal identifiable information (PII) and sensitive data follows as a close second (41%). Over time, the ability to harden APIs came in third (38%), and meeting compliance or regulatory requirements came in fourth (36%).


Additional findings from the State of API Security Report:

  • The risk of “zombie” or outdated APIs tops the list of API security concerns, with 43% of respondents citing it as their top worry. Account takeover came in second, with 22% focused on that risk as their biggest concern.
  • API changes are on the rise — 9% of respondents update their APIs every day, 31% do so weekly, and 24% update less often than every month.
  • 94% of exploits within the Salt customer base happen against authenticated APIs.
  • 86% of respondents lack the confidence that they know which APIs expose sensitive data.
  • 85% of respondents noted that their current tools are ineffective in stopping API attacks.
  • 83% of respondents lack full confidence in their API inventory.


API security is improving how security teams work

Although organizations are highly disparate in their perspective on who should bear responsibility for API security, collaboration and shared input between Security and DevOps teams are rising. More than a third of respondents (34%) say that security teams collaborate more with DevOps as a result of addressing API security, and another 30% state that DevOps seeks input from security teams to shape API guidelines. Another 25% of organizations are embedding security engineers within DevOps teams in response to the challenge. The survey also found that more security teams are highlighting the OWASP API Top 10 list of threats — 61% in this report vs. 50% six months ago, a positive change for improving API security practices across an organization.

KEYWORDS: API security cyber security DevOps information security risk management security development

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Security’s 2025 Women in Security

Security’s 2025 Women in Security

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • laptop and phone on desk

    Public sector application flaws increased in last 12 months

    See More
  • Ethical hackers earned $45M in 2019 and 2020

    Hackers earned $45M in the last 12 months

    See More
  • Hands wearing black fingerless gloves using keyboard

    76% of MSPs faced an infrastructure cyberattack in last 12 months

    See More

Related Products

See More Products
  • 150 things.jpg

    The Handbook for School Safety and Security

  • facility manager.jpg

    The Facility Manager's Guide to Safety and Security

  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing