Latest News

Salt Security State of API Security Report Reveals 95% of Respondents Experienced API Security Problems Driven by Accelerated API Usage

API security company Salt Security has unveiled the findings from the Salt Labs State of API Security Report, 2024. The research, which analysed survey responses from 250 IT and security professionals, combined with anonymised empirical data from Salt customers, highlights a lack of API security maturity and posture governance across organisations, leading to a rise in API security incidents and attack traffic.

The research found that almost all (95%) survey respondents experienced security problems in production APIs, with 23% suffering breaches as a result of API security inadequacies. The volume of APIs within organisations is also accelerating, with Salt customer data showing a 167% increase in API counts over the past 12 months, and nearly two-thirds (66%) of survey respondents indicated that they are managing more than 100 APIs. With increased API usage comes an expanded API attack surface, putting malicious activity on the rise.

The 2024 report also highlights the ongoing lack of API security maturity. Only 7.5% of organisations consider their API security programmes to be ‘advanced’ and alarmingly, over one-third (37%) of the respondents who have APIs running in production do not have an active API security strategy in place. Despite this, nearly half (46%) of respondents stated that API security is a c-level discussion within their organisations.

According to the research, API posture governance strategies, which provide a structured framework for managing and securing the entire API ecosystem from design to deployment, also remain a relatively new phenomenon. Only 10% of organisations currently have an API posture governance strategy in place. However, realising its critical importance, almost half (47%) plan to implement such a strategy within the next 12 months. By deploying and implementing a robust API posture governance engine, organisations can gain complete visibility into their API landscape, eliminate blind spots, and establish corporate-wide security standards and regulations across their entire API ecosystems.

Additionally, there has been a sharp increase in API security incidents. Compared to 2023, the number of organisations experiencing such issues has doubled, with 37% reporting attacks. The attackers are becoming more sophisticated, with over half bypassing authentication measures. Even internal APIs are at risk, targeted in 13% of attempts. These findings highlight the urgent need for stronger API security protocols.

However, leaders reported that finding APIs within their own systems is a major challenge. A surprising statistic reveals that only 58% have procedures in place for API discovery. This lack of visibility is further emphasised by the fact that less than 15% are confident about identifying APIs that handle sensitive personal data. This highlights a critical gap in API management and potential security risks.

“The volume of APIs within organisations are showing no sign of decline, and security teams are struggling to keep pace with the sheer breadth and depth of modern API ecosystems,” said Roey Eliyahu, co-founder and CEO, Salt Security. “As illustrated by the findings of our research, attackers are continuing to take advantage of this, leveraging weak spots within APIs to execute malicious attacks and gain access to company and customer data. With bad actors constantly refining their tactics to discreetly launch API attacks, often through legitimate means, it requires organisations to take a more sophisticated approach to securing APIs. One that encompasses strong API discovery capabilities, a posture governance strategy, and the ability to quickly and efficiently detect active threats and malicious API traffic.”