Salt Security, a leading API security company, in its latest Salt Labs State of API Security Report for Q1 2023, found a 400% increase in unique API attackers over the past six months.
Their researchers also found that 80% of these attacks took place over authenticated APIs. They also found, unsurprisingly, that 94% of survey respondents experienced security problems in production APIs in the past year. The result is that 17% reported they’d suffered from a data breach, and 48% of respondents now consider API security a C-level discussion.
Whether C-level executives, outside of the CIO, CISO, and CTO, even know what an API is another question.
Be that it may, 54% of developers and administrators worry a lot about outdated/zombie APIs. That’s up from 42% in the last quarter.
API Attack Surfaces
They have a reason. Everyone agrees that to secure APIs, you need to know what their API attack surface looks like in the first place. Too bad we often don’t know what those surfaces really look like.
Sure, we know — or at least we hope we know — what our APIs do, but what are their potential weaknesses? How might they be abused? We often don’t have a clue.
Why? APIs are constantly changing, making them nearly impossible to document. 37% of organizations update their APIs at least weekly, up from 32% in Q3 2022. And 9% update their primary APIs on a daily basis. Given significant documentation challenges at organizations, most environments are running APIs that are not documented. This isn’t a matter of shadow APIs, all too often, programmers literally don’t know what’s what with their “official” APIs. Only 18% of respondents are very confident that their API inventories provide enough detail about their APIs and the Personally identifiable information (PIII) or sensitive data within.
So it is that:
- More than half of respondents (59%) report they have had to slow the rollout of new applications because of API security concerns.
- Only 23% of respondents believe their existing security approaches effectively prevent API attacks.
I think that’s more like 23% of respondents are hopelessly optimistic. After all the report found:
- Only 12% of respondents consider their API security programs to be advanced and include dedicated API testing and runtime protection, up from 10% in Q3 2022.
- 30% of respondents have no current API security strategy, despite all respondents having production APIs in place. Of those, 25% say they’re in the planning stages, while 5% say API security plans are non-existent.
And the attacks just keep coming and coming:
- 78% of API endpoint attacks come from seemingly legitimate users but are actually attackers who have maliciously achieved the proper authentication.
- 8% of attack attempts are perpetrated against internal-facing APIs, typically left entirely unprotected.
Let me inject (see what I did there?) that no API anywhere should be left without protection. That’s just asking for trouble.
In Salt Lab’s own investigations, 90% of the time, they’ve uncovered API security vulnerabilities. 50% of those security weaknesses are critical. Of those surveys,
41% stated that they had identified a vulnerability in their production APIs. That number has fluctuated between 39% and 55% since the initial survey. Salt Labs — and yours truly — think the real number is probably substantially higher in reality.
While APIs are obscure to the general public, Roey Eliyahu, Salt Security co-founder and CEO, pointed out that recent API breaches at T-Mobile, Toyota, and Optus have jeopardized business operations, brand reputation, and services. In other words — once more and with feeling — it’s way past time to start taking API security seriously.
So it is as Salt Security puts it:” Organizations must move beyond yesterday’s security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and provides a broad range of protections that foster collaboration across teams.” The company has its own answer, of course, the Salt Security API Protection Platform, But, whether you deploy their platform or another, you need to do something to secure your APIs. If not, your company could end up in the headlines for all the wrong reasons too.