API security concerns hindering new application rollouts
66% of organizations admit to having slowed the rollout of a new application into production because of API security concerns, a Salt Security report reveals.
In addition, 54% of organizations running production APIs have at best only a basic strategy for API security, with 27% having no strategy at all.
“In today’s digital economy, APIs are the direct gateway to organizations’ most critical data and assets. Built to enable customers and partners, these APIs create risk by also providing a path for attackers to follow. As APIs have grown in volume and functionality, they’ve made ever more attractive targets for hackers, driving up the number and sophistication of API attacks,” said Roey Eliyahu, CEO at Salt Security.
“We compiled the industry’s first State of API Security Report to better understand the enterprise experience of APIs today. The study makes clear that companies’ current approaches for securing APIs have gaps that leave them at risk. It also highlights how organizations need new approaches to API security if they are to continue innovating safely and remain competitive.”
Most orgs experienced an API security incident last year
Respondents identified API security problems found in their organization’s production APIs, and 91% had suffered a problem last year. Vulnerabilities (54%) and authentication issues (46%) topped the list, followed by bot/scraping (20%) and DoS attacks (19%).
Finding a vulnerability in a production API means that pre-production vetting, while crucial, cannot prevent vulnerabilities from making their way into production rollouts.
What’s even more alarming is the Salt customer data showed the number of API attacks per month per customer increased from 50 last June to nearly 80 by December. Given the rate of incidents, it’s not surprising to see 66% of companies have delayed rollouts.
WAFs and API Gateways cannot stop API attacks
Every Salt customer has WAFs and API gateways, and every Salt customer has also experienced multiple attacks per month. So, API attacks are routinely getting past those tools.
This finding is less surprising given that WAFs and API gateways miss 90% of the OWASP API Security Top 10 threats. More shocking, however, is that 9% of respondents admitted they cannot identify API attacks.
Orgs running production APIs have no API security strategy
As DevOps has emerged, security teams are frequently required to play catch-up, with more than a quarter of organizations running critical API-based applications with no security strategy and another 27% of organizations having only a basic strategy for API security.
In addition, while more than two thirds of respondents note that security teams have been highlighting the OWASP API Security Top 10 threats, teams still do not have a plan in place for securing APIs.
83% of orgs lack confidence in their API inventory
Organizations are using a broad array of API documentation techniques, and yet only 16% of respondents are very confident that their API inventory is complete. Most of today’s common approaches depend on humans to provide a complete view of APIs, leaving API documentation incomplete as a result of the speed of new development and API changes.
Other key findings
- API traffic is growing, but malicious API traffic is growing faster. Customers’ monthly volume of API calls grew 51%, while the percentage of malicious traffic grew 211%.
- 80% of organizations do not believe their security tools can prevent API attacks effectively.
- 82% of organizations lack confidence in knowing API details such as exposed PII, which might include CPNI, PHI, cardholder data, and other sensitive information. 22% of organizations admit they have no way to know which APIs expose PII.
- Outdated and zombie APIs present the greatest perceived risk. Zombie APIs, older APIs or those expected to be short-lived, present a special risk because organizations assume they’ve been decommissioned.
- Current API security approaches heavily rely on pre-production lifecycle phases. More than half of organizations apply no runtime API security protection.