API Attacks up 348% in Six Months, per Latest “State of API Security” Report
The data makes it clear: more companies are suffering more API attacks than ever, and companies remain as ill-prepared as ever.
The Salt Labs team today released the latest edition of the pioneering “State of API Security” report. The data, drawn from a combination of survey responses and empirical data from Salt Security customers, paints a picture of increased attacks, application rollout delays, worries over pre-prod and runtime API protection, and near-universal experiences of API security incidents.
Salt Security initiated this industry-first research six months ago, with the inaugural report. This time, the Salt Labs team spearheaded the effort. The findings show that despite increased awareness about the risk of APIs, the vast majority of companies are suffering attacks, don't have an API security strategy in place, and haven't determined who "owns" API security.
Here’s what we learned in this second edition of the report:
- in the past six months, Salt customer data shows the number of APIs has increased 112%, average API call volume is up 141%, and malicious API calls are up 348%
- 64% of survey respondents have slowed application rollouts over API security concerns
- 94% of respondents have experienced an API security incident in the past 12 months
- 48% of Salt customers are experiencing 11–100 API attacks per month, and 5% are experiencing more than 1,000 attacks every month
- 40% of survey respondents cite “zombie” APIs as their biggest area of concern
- 85% of respondents lack confidence in the completeness of their API inventory
- 55% of respondents say “stop attacks” is the most critical capability of an API security platform
- Salt data shows 95% of API exploits are happening against authenticated APIs
- survey respondents are very mixed in their views of who should own API security — 21% say developers, 20% say the API team, 16% say AppSec, and another 16% say DevSecOps
- 50% of respondents do not have security teams highlighting the OWASP API Security Top 10 list
Next steps for enterprises
This kind of data is most useful when you use it to build a game plan for response. The survey results and Salt customer data contain a lot of sobering findings, but they also highlight a path forward. What are the implications for us as an industry?
1. Companies must augment their WAFs and API gateways
With every Salt customer having a WAF and most also having API gateways, and all of them enduring multiple attacks per week, we can see the ineffectiveness of these tools in handling API attacks. Organizations hoping they’ve "got it covered" with these older technologies are keeping their companies exposed to unnecessary risk.
2. An overreliance on “shift left” tactics is not working
API security is often seen as a developer’s problem, but API attacks target vulnerabilities in business logic, which don’t show up in code testing. Companies must both “shift left” and “shield right” — that is, apply remediation insights to make their code more secure but also deploy runtime protection to fully protect their vital data and services.
3. A full lifecycle approach is essential
Organizations need a mix of tactics to protect APIs. They must vet APIs as they're developed, automate runtime protection to block attackers, and provide developers with closed-loop feedback that distills learnings from runtime to help developers harden APIs.
4. You can’t prevent attackers from targeting APIs, but you can stop them before they succeed
Attackers need to poke and prod on APIs to learn the business logic they’re exercising and look for flaws. Organizations need to leverage big data and automation to identify this reconnaissance activity and stop attackers before they reach their objective.
5. Given the need for automation, with ML and AI, “time in market” is critical
Humans simply can’t keep up in the battle to protect APIs. The algorithms at the heart of API security platforms rely on time in market — seeing hundreds of customer environments over time — to learn and improve. Organizations must evaluate how long a system has been in market to understand how robust and refined its capabilities can be.
Download the full report so you can evaluate your organization’s progress on this critical journey. Insights from the report can help you chart a path to better protecting your own APIs.
You can also request an API Security Gap Assessment to better understand your API landscape and gain personalized remediation insights.
If you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!