Latest “State of API Security” Report from Salt Security finds API Security Incidents Almost Universal
Stephanie Best, Head of Product Marketing at Salt Security
APIs are at the core of every modern application and that makes them an enticing attack target. However, recent research from the Salt Labs State of API Security Report has found that most organisations are unprepared to protect this ever-expanding attack surface.
This is the conclusion reached from analysing the data from a combination of survey responses and empirical data from Salt Security customers. It highlights a daunting scenario: exploding attack activity, insufficient existing security practices, and overwhelmed teams who feel ill-prepared to deal with many API security issues.
In a particularly eye-opening finding, the Salt Labs bi-annual report discovered that 94% of survey respondents admit that they have experienced security problems in production APIs within the past year. Moreover, 20% have suffered a data breach resulting from API security gaps. In addition, the report found that API attack traffic has doubled in the past 12 months. Together, these findings highlight that existing solutions and API security tactics focused on shift-left strategies are failing to adequately protect APIs.
Other key highlights from the fourth edition of the report include:
Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%
API attack traffic now accounts for 2.1% of the overall API traffic for Salt customers
Among Salt customers, 34% endure 100+ API attack attempts per month, with 8% more than 1000
More than half of survey respondents (54%) indicated they've had to slow the rollout of new applications because of API security concerns
Nearly a third of respondents (31%) admit they've experienced sensitive data exposure or a privacy incident within their API production over the past year, a sharp increase compared to last year's 19%
The ability to stop attacks was rated a “highly important” attribute of an API security platform by most respondents (41%), compared to only 22% who rated shift-left capabilities a top need
91% of APIs running within the Salt customer base are exposing PII or sensitive data
API changes are on the rise with 11% of respondents updating their APIs daily and 31% updating them weekly
38% of respondents ranked security as their top concern in their API strategy, and 61% admit to lacking any API security strategy or to having only a basic one
Only 18% of respondents believe their existing tools are “very effective” in preventing API attacks
Only 55% of respondents highlight the OWASP API Security Top 10 as a focus area of their security program, which is unfortunate given that 62% of attempted attacks within the Salt customer base leveraged at least one of the methods on that list
86% of respondents lack confidence that their API inventory is complete, and 14% admit they are unaware of which APIs expose PII
64% of respondents say that API security has helped security collaborate and even embed with DevOps teams
What can enterprises do?
This type of industry data is most useful to leverage when seeking to make strides with an API Security programme – whether it’s funding, resources or skills. The survey results and Salt customer data contain a lot of interesting - and frankly daunting - findings, but they also help shine a light on the path forward. Here are some implications and recommendations to keep in mind:
Define a robust API security strategy: Most security teams - and survey respondents - rely upon traditional tools like WAFs and API gateways to manage their APIs and protect against application attacks. But with API attacks increasing, it is clear that these tools and processes leave significant gaps when defending against API attacks. You need to define and execute an API security strategy that covers the complete API lifecycle and addresses cross-functional responsibilities.
Assess your current level of risk: API security risks are real and the stakes are high, so do some poking and prodding of your own to see where your gaps are. Emulate the tactics of well-known API security incidents of 2021 and 2022 to see whether similar business logic flaws exist in your APIs. Validate current API designs against API security best practices, checking whether authentication and authorisation controls are in place throughout the sequence of API calls for a given business function, for example. Launch attacks based on the OWASP API Security Top 10 list and see whether your WAF or API gateway can detect them.
Enable frictionless API security across all your application environments: With APIs being the foundation of all application development today, you can’t afford to leave some of your environments unprotected. You must be able to apply API discovery and runtime protection on applications running on-prem and in the cloud and on legacy apps, as well as your container and Kubernetes deployments. How you connect the API security tooling into your environments is also crucial – avoid inline deployments, agents, or the need to instrument code to keep your API security platform from being blamed for any application impact.
Tap the power of cloud-scale big data, AI, and ML to pinpoint the subtle probing of API attackers: Attackers must perform extensive reconnaissance to understand how each API works and identify vulnerabilities and gaps in business logic that can be exploited. You need to leverage the power of big data and automation to identify this reconnaissance activity over a prolonged time period and stop attackers before they reach their objective.
Don’t over-rotate on shift-left tactics: Shift-left and secure build pipeline approaches have their merits. But many API security gaps cannot be detected as part of code review – they can be detected only in runtime. Look for an API security platform that complements pipeline testing and analysis with robust runtime protection. Shift-left tactics take much longer to deliver value and ultimately offer limited value as they identify only a fraction of API security risk and leave your security teams dependent on developers to work through a backlog of vulnerability fixes. Get your APIs protected today with runtime security – then you can make hardening APIs over time a realistic goal.
Download the full report to better understand how your organisation’s API practices and priorities compare against the industry. Then come visit us at International Cyber Expo on the 27th - 28th September 2022 to speak further about our research and what steps you can take to protect your organisation. We’ll be at stand K42!