Developers working on code showing API security and API attacks

API Attacks Increased by 681%, Affecting 95% Of Organizations, Salt Labs State of API Security Report 2022 Says

Salt Labs, the research division of Salt Security, released its Q1 2022 State of API Security report indicating that API attacks more than doubled the overall growth in API traffic in the last 12 months.

According to the report, 95% of organizations running production APIs have experienced an API security incident in the last 12 months.

However, most organizations are unprepared to handle these challenges, with over a third (34%) having no API security strategy.

Similarly, traditional security measures continue to fail, giving organizations a false sense of security.

API security concerns slow down new application rollout

Salt Security API security report shows that malicious API traffic increased by 681% while overall API traffic increased by 321%.

Similarly, Salt Security customers experienced an increased frequency of API attacks, with 12% recording an average of 500 API attacks each month. According to Salt Labs, 94% of exploits affect customers with authenticated APIs.

Consequently, 62% of organizations slowed down new application rollout because of API security concerns.

According to Roey Eliyahu, co-founder and CEO of Salt Security, given the current state of API security, every organization must become a software organization.

Similarly, Salt Security Technical Evangelist Michael Isbitski said APIs presented an attractive attack vector for threat actors to exploit.

Most organizations are unprepared to handle API attacks

With API security topping the list of concerns, 40% of the respondents were worried about their companies’ API programs.Nearly a quarter (22%) cited pre-production security, 18% runtime or production security, and 19% quoted insufficient investment in requirements and documentation.

The major roadblocks to API security were the lack of expertise or resources (35%) and budget constraints (20%). Consequently, 34% of organizations had no API security strategy in place, while 27% only had a basic strategy. Only 11% of respondents had robust API security in place that included API testing and protection.

The lack of strategy and resources hinders the ability of most organizations to stop API attacks. The situation has led to a high number of organizations experiencing API attacks.

Organizations also suffer from the lack of ownership and who should bear responsibility for API security. Consequently, more than half of the respondents believe API security is the responsibility of developers, DevOps, or DevSecOps, while 31% believe that AppSec or InfoSec teams are responsible.

To overcome the ownership challenge, more organizations are sharing the responsibility between application security and DevOps teams.”More than a third of respondents (34%) say that security teams collaborate more with DevOps as a result of addressing API security, and another 30% state that DevOps seeks input from security teams to shape API guidelines,” the researchers wrote. “Another 25% of organizations are embedding security engineers within DevOps teams in response to the challenge.”

However, the report warned that with runtime protection being crucial to API protection, the “shift left” tactics were failing.

WAFs and API gateways fail to stop API attacks, putting organizations at risk

“Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk,” Isbitski said.

The report found that 55% of the respondents rely on gateway alerts, 37% on web application firewalls (WAFs), and 45% on log file analysis.

However, 85% noted that their current tools are ineffective in stopping API attacks, while another 83% lack full confidence in their API inventory.

The report noted that traditional security and API management tools, including WAFs and API gateways, have failed to catch API attacks leaving many organizations with a false sense of security.

For example, reliance on log file analysis ensures that the attackers have already accessed valuable data before the vulnerability is detected.

“Perhaps the biggest lesson we can take from our latest research is that 2022 must be the year that organizations get serious about securing APIs,” they wrote.