API security crisis: 95% of companies affected last year, says Salt Security

The alarming extent of API security issues

A recent Salt Security study shows that a staggering 95% of companies faced security problems in production APIs over the past year. Almost all organizations grapple with securing their APIs against increasingly sophisticated threats.

The study also highlights that 23% of these companies suffered breaches directly attributed to API security inadequacies. Breaches compromise sensitive data erode customer trust and can lead to substantial financial losses.

API security problems arise from multiple factors, including insufficient security measures, lack of awareness, and the rapid pace of API development outpacing traditional security practices.

Companies must recognize that APIs, which facilitate communication between different software systems, are prime targets for attackers. As such, developing and maintaining robust API security protocols must be a priority to properly safeguard organizational data and integrity.

Exploding API counts and what it means for security

The Salt Security report points out a 167% increase in API counts among its customers over the last year, indicating a growing reliance on APIs to drive innovation, integrate systems, and boost customer experiences.

With 66% of respondents managing over 100 APIs, the sheer volume of APIs in use today presents a complex and dire security challenge.

Exponential growth in API usage expands the potential attack surface, making it more challenging for security teams to monitor and protect every endpoint. Each new API introduces potential vulnerabilities that can be exploited if not properly secured.

Companies must implement comprehensive API management and security strategies to mitigate these risks effectively. This involves continuous monitoring, regular security assessments, and adopting advanced security solutions that can adapt to the dynamic nature of API environments.

Expanding attack surfaces are a growing concern

Increasing use of APIs directly correlates with an expanded attack surface, making organizations more susceptible to cyber-attacks. The study shows that threat actors are increasingly targeting APIs, leveraging various attack vectors to exploit weaknesses. To combat this, companies must both react to incidents and anticipate and prevent potential threats proactively.

An expanded attack surface requires a multi-layered security strategy that includes threat detection, anomaly monitoring, and rapid incident response capabilities.

Companies should prioritize securing their APIs by adopting best practices such as authentication, authorization, encryption, and implementing rate limiting to control the volume of API requests.

API attacks are surging: Here’s what you need to know

A year-over-year comparison of API attacks

API attacks have become more prevalent, with the percentage of companies experiencing such attacks rising from 17% last year to 37% this year – highlighting the growing focus of cybercriminals on APIs as lucrative targets.

Sophistication of these attacks is also evolving, requiring organizations to stay ahead of the curve with advanced security measures. Rising API attacks can be attributed to several factors, including the increased complexity of API ecosystems, inadequate security controls, and the rapid deployment of new APIs without thorough security testing.

Companies must buttress their security posture by integrating security into the API development lifecycle, conducting regular security audits, and employing automated tools to identify and remediate vulnerabilities.

How attackers are bypassing your API defenses

Attackers employ various methods to bypass API defenses, with 61% of attacks successfully circumventing authentication mechanisms. Critical vulnerabilities in how APIs are protected calls for stronger authentication protocols, such as multi-factor authentication and OAuth.

13% of API incidents specifically target internal APIs, which are often overlooked in security planning.

Internal APIs, while seemingly less exposed, can provide attackers with access to sensitive internal systems if compromised. Implementing comprehensive security for both public and internal APIs is critical, including stringent access controls, regular security reviews, and employing zero-trust principles.

Why zombie APIs are becoming a top security concern

Zombie APIs, or outdated and forgotten APIs, pose an urgent security threat. According to the Salt Security study, 70% of respondents rate Zombie APIs as a high concern, up from 54% last year – reflecting the growing awareness of the dangers that these neglected APIs present.

Zombie APIs can expose outdated code with known vulnerabilities, providing an easy entry point for attackers. They often go unnoticed because they are no longer actively managed or documented, which creates blind spots in an organization’s security posture. Addressing this requires a thorough inventory of all APIs, regular deprecation of unused APIs, and continuous monitoring to detect and remediate potential security risks.

Companies must focus on these areas and implement the recommended security practices to better protect their API ecosystems from evolving threats while maintaining the trust of both their customers and stakeholders.

Reality of API security programs: Are we really prepared?

Only 7.5% of respondents in the Salt Security study consider their API security programs to be “advanced.”, pointing to a widespread lack of preparedness and sophistication in managing API security across industries. With APIs becoming integral to business operations, the gap in security maturity poses a substantial risk.

Even more alarming is that 37% of respondents with production APIs admit to lacking an active API security strategy. Absence of these proactive approaches leaves organizations vulnerable to potential breaches and attacks.

Without a robust security strategy, companies may struggle to identify and mitigate risks promptly, leading to compromised data and operational disruptions.

On a more positive note, 46% of companies report that API security is a topic of discussion at the C-level. When executives prioritize API security, it often leads to better resource allocation, comprehensive security policies, and a stronger overall security posture. That being said, disparity between acknowledgment and action suggests that many organizations are still in the early stages of implementing effective security measures.

Strengthening API security with posture governance

The concept of API posture governance, while relatively new, is gaining traction among companies. Currently, only 10% of organizations have structured API posture governance strategies in place, which are essential for providing a systematic framework to secure and manage APIs throughout their lifecycle.

Structured governance includes defining security policies, establishing best practices, and emphasizing consistent application of security measures across all APIs. Companies with these strategies can better anticipate and mitigate security risks, which in turn reduces the likelihood of breaches and attacks.

The study also highlights a positive trend, with 47% of respondents planning to implement API posture governance strategies within the next year. This suggests that more companies are recognizing the importance of structured governance to safeguard their API ecosystems.

As this adoption grows, we can expect to see a reduction in security incidents and a more resilient approach to managing API security.

Challenges of keeping up with rapid API updates

Frequent API updates are outpacing documentation

According to the study, 38% of organizations update their APIs weekly, and 13% do so daily. Frequent updates, while beneficial for innovation and responsiveness, complicates the task of maintaining accurate and up-to-date documentation.

Traditional documentation methods struggle to keep pace with these rapid changes, leading to gaps in knowledge and potential security vulnerabilities. When documentation is outdated or incomplete, developers and security teams may not have the necessary information to secure APIs adequately – resulting in overlooked vulnerabilities and an increased risk of attacks.

The struggle to maintain an accurate API inventory

Compounding the issue of rapid updates is the challenge of maintaining an accurate API inventory. The study points out that a hefty 88% of organizations are unsure of their complete API inventory. Uncertainty here stems from constantly evolving APIs and difficulties in tracking all active, deprecated, and outdated APIs within an organization.

Without a clear and comprehensive inventory, organizations cannot effectively manage and secure their APIs.

Visibility gaps can lead to unmonitored APIs becoming entry points for attackers, bringing with it serious security risks. Traditional security safeguards, which often rely on static inventories and manual processes, are ill-equipped to handle the dynamic nature of modern API ecosystems.

To address these challenges, companies must adopt automated tools and processes for real-time API inventory management and documentation. These tools can provide continuous visibility into the API landscape, so that all APIs are accounted for and secured against potential threats.

5 practical steps to improve your API security

1. Craft a strong API security strategy

Developing a comprehensive API security strategy is foundational for safeguarding your digital assets. This should encompass every phase of the API lifecycle, from design and development to deployment and maintenance.

A robust API security plan involves setting clear security policies, defining roles and responsibilities, and implementing best practices for secure API development.

Key components of a strong API security strategy include:

• Authentication and authorization: Make sure that only authorized users and applications can access your APIs. Implement multi-factor authentication and robust authorization mechanisms.
• Encryption: Protect data in transit and at rest using strong encryption protocols.
• Rate limiting and throttling: Control the number of API requests to prevent abuse and denial-of-service attacks.
• Regular security audits: Conduct periodic audits and penetration testing to identify and remediate vulnerabilities.

2. Evaluate your current API security risks

A thorough risk assessment is the key to understanding and mitigating potential API security vulnerabilities. This involves:

• Inventorying APIs: Maintain an up-to-date inventory of all APIs, including public, private, and internal ones.
• Identifying threats: Analyze potential threats and attack vectors that could compromise your APIs.
• Assessing impact: Evaluate the potential impact of different types of attacks on your business operations and data integrity.
• Prioritizing risks: Prioritize risks based on their likelihood and potential impact, focusing resources on addressing the most critical vulnerabilities first.

Conducting these assessments regularly will help you stay ahead of emerging threats and adjust your security measures accordingly.

3. Achieve seamless API security integration

Implementing security measures that integrate seamlessly into all application environments is a must for maintaining a strong security posture without disrupting operations. This includes:

• Automated security tools: Use automated tools to scan for vulnerabilities and enforce security policies across all APIs.
• Continuous monitoring: Implement continuous monitoring solutions to detect and respond to security incidents in real-time.
• DevSecOps practices: Integrate security into your DevOps processes so that security is considered at every stage of the development lifecycle.

Adopting these practices will help you create a security environment that is both effective and minimally intrusive to your development and operational workflows.

4. Prioritize strong runtime security for APIs

Runtime security is key for protecting APIs during their active use. This typically involves continuous protection and monitoring to detect and mitigate threats in real-time. Effective runtime security measures can include:

• Intrusion Detection Systems (IDS): Deploy IDS to monitor API traffic and detect unusual patterns that may indicate an attack.
• Behavioral analysis: Use behavioral analysis tools to identify anomalies in API usage that could uncover malicious activity.
• Real-time threat mitigation: Implement solutions that can automatically block or mitigate threats as they are detected.

Adopting a strong focus on ensuring robust runtime security helps protect your APIs from active threats and minimizes the risk of data breaches.

5. Implement early-stage API security practices

Adopting early-stage security practices, commonly referred to as “shifting left,” can typically involve integrating security measures early in the API development process, including:

• Security by design: Embed security considerations into the design and architecture of APIs.
• Code reviews: Conduct regular security-focused code reviews to identify and address vulnerabilities during development.
• Developer training: Train developers on secure coding practices and the importance of API security.

Structured governance practices provide a framework for consistently applying security measures across the entire API ecosystem, reducing the risk of vulnerabilities being introduced during development.