The majority (95%) of organizations have experienced an API security incident in the past 12 months, according to Salt Security’s Salt Labs State of API Security Report, Q1 2022.

Despite the dramatic increase in attacks and incidents, these organizations, all running production APIs, remain unprepared for API attacks, with 34% of respondents lacking an API security strategy, which presents a significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernization efforts.

Attempted attacks against survey respondents grew steeply — malicious API traffic increased 681% compared to a 321% increase in overall API traffic. Understandably, 62% of survey respondents acknowledged slowing down the rollout of a new application because of API security concerns.

With nearly every survey respondent (95%) identifying an API security incident in their production APIs, the need to devise a robust API security strategy is urgent. Survey respondents also experienced an increasing frequency in attacks, with 12% enduring an average of more than 500 attacks every month.

“APIs present an attractive attack vector, despite organizations’ best efforts to validate APIs before releasing them into production,” said Michael Isbitski, Technical Evangelist, Salt Security. “Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk.”

Security concerns top the list of worries about API strategies, at 40%

Survey respondents have various concerns about their companies’ API programs, with 40% citing security as their leading worry. Insufficient investment in pre-production security takes the top spot, at 22%, and another 18% of respondents are concerned that the program doesn’t adequately address runtime or production security. Insufficient investment in fleshing out requirements and documentation is the leading concern for 19% of respondents.

Most enterprises are unprepared for an API attack

Highly publicized security incidents and pleas from security professionals to implement API security protections have not been enough to drive most organizations to adopt effective API security strategies. Among survey respondents, 34% have no strategy in place, and slightly more than a quarter (27%) have just a basic strategy. Only 11% have an advanced strategy that includes dedicated API testing and protection.

Findings also support the notion that budget and skills gaps play a role in this lack of preparedness. Lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles to implementing an optimal API security strategy.

An overreliance on “shift left” practices continues to fail the enterprise

With runtime protection being fundamental to effective API protection and 95% of respondents having experienced an API security incident within the last year, “shift left” tactics for API security are proving inadequate. This issue is magnified as IT teams continue to be divided over “ownership” of API security. More than half of survey respondents say the primary responsibility sits with developers, DevOps, or DevSecOps. Only 31% of respondents put the responsibility of API security onto AppSec or InfoSec teams.

WAFs and API Gateways continue to miss API attacks

Reliance on traditional security and API management tools, such as web application firewalls (WAFs) and API gateways, has left many organizations with a false sense of security. With 95% of respondents having experienced an API security incident in the last year, the fact that 55% are relying on alerts from gateways and 37% are using WAFs to identify attackers shows the gap in capabilities. Reliance on log file analysis (45%) for API security is similarly ineffective — by the time log files are parsed through, attackers are long gone with the valuable data and payloads they sought.

Stopping API attacks remains top criterion for an API security platform

For the third time in a row, more respondents (42%) cited stopping API attacks as the most important capability they seek in an API security platform. Identifying which APIs expose personal identifiable information (PII) and sensitive data follows as a close second (41%). Over time, the ability to harden APIs came in third (38%), and meeting compliance or regulatory requirements came in fourth (36%).

Additional findings from the State of API Security Report:

• The risk of “zombie” or outdated APIs tops the list of API security concerns, with 43% of respondents citing it as their top worry. Account takeover came in second, with 22% focused on that risk as their biggest concern.
• API changes are on the rise — 9% of respondents update their APIs every day, 31% do so weekly, and 24% update less often than every month.
• 94% of exploits within the Salt customer base happen against authenticated APIs.
• 86% of respondents lack the confidence that they know which APIs expose sensitive data.
• 85% of respondents noted that their current tools are ineffective in stopping API attacks.
• 83% of respondents lack full confidence in their API inventory.

API security is improving how security teams work

Although organizations are highly disparate in their perspective on who should bear responsibility for API security, collaboration and shared input between Security and DevOps teams are rising. More than a third of respondents (34%) say that security teams collaborate more with DevOps as a result of addressing API security, and another 30% state that DevOps seeks input from security teams to shape API guidelines. Another 25% of organizations are embedding security engineers within DevOps teams in response to the challenge. The survey also found that more security teams are highlighting the OWASP API Top 10 list of threats — 61% in this report vs. 50% six months ago, a positive change for improving API security practices across an organization.