Salt Security has released the Salt Labs State of API Security Report, Q1 2023. This found that attackers have upped their activity, with Salt customer data showing a 400 percent increase in unique attackers in the last six months. In addition, about 80 percent of attacks happened over authenticated APIs.
The State of API Security Report pulls from a combination of survey responses and empirical data from Salt customers. It includes ‘in the wild’ API vulnerability research from Salt Labs that demonstrates how respondents’ top concerns in API security manifest in real-world scenarios.
API security has emerged as a significant business issue, not just a security problem:
- More than half of respondents (59 percent) report they have had to slow the rollout of new applications because of API security concerns.
- Just 23 percent of respondents believe their existing security approaches are very effective at preventing API attacks.
- 48 percent of survey respondents say that API security has become a C-level discussion over the past year. That percentage runs even higher within heavily regulated industries, such as technology (59 percent), financial services (56 percent), and energy/utilities (55 percent).
Attackers are more relentless than ever
Salt customer data shows that API attacks are on the rise and bad actors are targeting internal and authenticated APIs. Data from the Salt cloud shows:
- 78 percent of attacks come from seemingly legitimate users but are actually attackers who have maliciously achieved the proper authentication.
- 8 percent of attack attempts are perpetrated against internal-facing APIs, typically left entirely unprotected.
- 4,845 unique attackers operated in December 2022 – a 400 percent increase from just six months earlier.
Zombie APIs followed by ATO top the list of API worries
When asked about the most concerning API security risks:
- 54 percent of respondents said outdated or ‘zombie’ APIs are a high concern, up from 42 percent from last quarter.
- 43 percent highlightted account takeover (ATO) as a high concern.
- Only 20 percent cited shadow APIs as a top concern. Given API documentation challenges, it is likely most environments are running APIs that are not documented and that the risk in this area is higher than many respondents realise.
Most API security strategies remain immature
The survey found that the vast majority of organizations still lack mature API security programs:
- Only 12 percent of respondents consider their API security programs to be advanced and include dedicated API testing and runtime protection, up from 10 percent in Q3 2022.
- 30 percent of respondents have no current API security strategy, despite all respondents having production APIs in place. Of those, 25 percent say they’re in planning stages, while 5 percent say API security plans are non-existent.
Vulnerabilities discovered in the wild represent a critical concern
Companies large and small have many unknown security gaps. The report notes:
- 90 percent of investigations undertaken by Salt Labs uncover API security vulnerabilities, and 50 percent of the vulnerabilities discovered should be considered critical.
- 41 percent of survey respondents stated that they had identified a vulnerability in their production APIs, but this is a number that is most likely substantially higher in reality, according to Salt Labs.