Common API security issues: From exposed secrets to unauthorized access

Despite their role in connecting applications and driving innovation, APIs often suffer from serious security vulnerabilities. Recent investigations reveal that many organizations are struggling with exposed secrets such as passwords and API keys, which attackers frequently misuse. The persistence of these vulnerabilities, coupled with outdated security measures, underscores a growing concern.

35% of exposed API keys still active, posing major security risks

Nightfall AI | State of Secrets Report | August 2024

• Secrets like passwords and API keys were most often found in GitHub, with nearly 350 total secrets exposed per 100 employees every year.
• 35% of all API keys discovered were still active — posing a major risk for privilege escalation attacks, data leaks, data breaches and more.
• Passwords take the cake by comprising over half (59%) of detected secrets, with API keys following closely behind (39%).

Organizations use outdated approaches to secure APIs

Cloudflare | State of Application Security 2024 | July 2024

• DDoS remains the most leveraged threat vector to target web applications and APIs, comprising 37.1 % of all application traffic mitigated by Cloudflare.

Security challenges mount as companies handle thousands of APIs

F5 | State of Application Strategy Report | June 2024

• 90% of survey respondents said they manage fewer than 200 apps, which tends to decrease as digital transformation proceeds. At the same time, API counts only go up. More than 41% manage at least as many APIs as apps.
• The proliferation of APIs has led companies to embrace new methods to manage and secure their growing networks. 95% have now implemented API gateways to provide authentication, validate requests, and rate limit traffic.
• 43% have automated their security infrastructure for both apps and APIs.

95% of companies face API security problems

Fastly | API Security Study 2024 | March 20224

• 84% of respondents admitted to not having advanced API security in place.
• 95% of respondents said they had experienced API security problems in the last twelve months.
• 79% had delayed the rollout or integration of a new application due to API security concerns.

API environments becoming hotspots for exploitation

Akamai | Lurking in the Shadows: Attack Trends Shine Light on API Threats | March 2024

• A total of 29% of web attacks targeted APIs over 12 months (January through December 2023), indicating that APIs are a focus area for cybercriminals.
• Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%.

Researchers discover exposed API secrets, impacting major tech tokens

Escape | API Secret Sprawl Study | February 2024

• Escape’s security research team scanned 189.5 million URLs and found more than 18,000 exposed API secrets. 41% of exposed secrets were highly critical, i.e. could lead to financial risks for the organizations.