The State of API Security report by Salt Security found that malicious traffic targeting APIs grew almost triple the regular traffic in the past six months causing significant security challenges.
The company noted that all its customers experienced API security incidents and most respondents were skeptical that they could identify and stop API attacks.
Additionally, many organizations had to delay the deployment of APIs because of API security concerns.
Malicious API traffic dwarfs legitimate traffic
Salt Security says API traffic was on the rise because of the adoption of digital technologies across various industries.
Organizations use APIs for system/platform integrations (61%), to drive digital transformation initiatives (52%), development efficiencies and/or standardization (47%), cloud migration (39%), partner enablement (36%), and monetization of functionality or data (18%).
However, malicious API traffic dwarfed the legitimate API traffic over the same period.
Between December 2020 and June 2021, monthly API traffic grew from 195 million calls to 470 million calls, representing a 141% growth in overall traffic. In December 2020, Salt Security’s customers experienced 2.73 million attack calls per month and 12.22 million calls in June 2021, representing a 348% growth within 6 months.
Almost all respondents experienced an API security incident in the past 12 months
Most organizations were struggling with API security including the question of who was responsible for API security.
More than half (52%) of the respondents heaped the responsibility for API security on the API team (20%), developers (21%), or DevOps team (11%).
However, the researchers debunked the belief that “developers write APIs, so they should be responsible for securing APIs” because hardly any developer writes perfect code, most applications include third-party inputs, and APIs require external controls outside the code.
The confusion on security responsibility posed additional API security challenges with many organizations experiencing a security incident.
“Ultimately, the proof is in the pudding – 94% of survey respondents experienced an API security incident in the past year, and 100% of Salt customers experience multiple attacks every month.”
Security problems based on the average number of attacks per customer were vulnerability (55%), breach (15%), sensitive data exposure (19%), authentication problems (39%), denial of service (23%), account misuse/fraud (20%), and credential stuffing (16%).
API security concerns inhibit innovation and application rollout
The report found that nearly two-thirds of organizations delayed the rollout of a new application because of API security concerns.
“Companies rely on application development to fuel business innovation – this finding alone should make API security a key priority in any application-driven organization.”
While most organizations were in the process of developing API programs, nearly half (46%) cited security as a major concern.
Worries over a lack of pre-production security was the top response (26%) followed closely by adequately addressing runtime security (20%) of their API programs. Similarly, failure to drive enough observability and control was a concern for 14% of the respondents.
Regardless of the areas of concern, most respondents (55%) believed that stopping attacks at runtime was the biggest priority.
“The ability to identify which APIs expose PII or other sensitive data came in a close second, with 52% of respondents citing it as highly important – that figure rises to more than 80% of respondents when you add together respondents who rated it a 4 or 5 out of 5 in importance.”
The report authors advised organizations to educate team members about the OWASP API Security Top 10 list to bolster API security.
Lack of confidence in the organization’s API inventory is widespread
Sadly, almost nine out of ten (85%) of the respondents lacked confidence in their API inventory’s ability to stop attacks. Nearly a fifth (17%) of the respondents “have absolutely no confidence in or knowledge about the completeness of their API inventory.”
Nearly a half (47%) had “somewhat confidence” while just 15% were very confident about their API inventory.
The respondents’ skepticism was not unfounded. Nearly half (49%) of the respondents depended on WAF or API gateways to identify API attackers. However, only 16% found their tooling effective in identifying attacks.
Outdated or “zombie” APIs are a major concern
Four out of ten (40%) respondents quoted outdated or “zombie” APIs as their major security concern, almost triple (16%) the number worried about account takeover. Only 14% were least concerned about outdated APIs.
While many outdated APIs may still be functional, they lack modern security features designed to defend against modern attacks.
Other areas of great concern include denial of service (14%), shadow/unknown APIs (11%), accidental exposure of sensitive information (10%), and data exfiltration (9%).
A radical shift in API security is happening
With increasing API attacks and failing tools, key players collaborated to improve API security. The report found that organizations witnessed changes in how security teams approach partnerships with DevOps teams. Only a small number (9%) of teams did not witness changes in how security teams approached API security.
Similarly, a third of the respondents said there needed to be more collaboration between security teams and DevOps teams, while a similar number said security engineers were being included in DevOps teams. However, only a small number (16%) of DevOps teams requested inputs from security teams on API security guidelines.
With API traffic comprising 80% of all internet activity, the sobering report painted a grim picture of the state of web security as a whole.