API attacks increased 681% in the last 12 months, says Salt Security

London, UK. 2 March 2022 – Salt Security, the API security company, released the Salt Labs State of API Security Report, Q1 2022. In its latest version, the bi-annual report found that 95% of surveyed organisations have experienced an API security incident in the past 12 months.

Despite the dramatic increase in attacks and incidents, these organisations, all of whom are running production APIs, remain unprepared for API attacks, with 34% of respondents lacking any kind of API security strategy. This lack of defence presents significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernisation efforts.

The State of API Security Report pulls from a combination of survey responses and empirical data from the Salt SaaS cloud platform. Attempted attacks against Salt customers, blocked by our platform, grew steeply malicious API traffic increased 681% compared to a 321% increase in overall API traffic. Understandably, 62% of survey respondents acknowledged slowing down the rollout of a new application because of API security concerns.

“To thrive today, every company must be a software company, and APIs reside at the heart of their application innovation. Digital businesses have emerged as the leaders of our modern economy, and at the same time, they’ve become the leading targets for bad actors,” says Roey Eliyahu, co-founder and CEO, Salt Security. “We’re seeing API attacks accelerating significantly year over year. Even more concerning, the pace of growth in API usage and attacks continues to outpace enterprise readiness and defences. Organisations must invest the time and effort to understand the API attack landscape and the critical capabilities needed to protect their most vital assets.”

With nearly every survey respondent (95%) identifying an API security incident in their production APIs, the need to devise a robust API security strategy is urgent. Salt customers also experienced increasing frequency in attacks, with 12% enduring an average of more than 500 attacks every month.

“APIs present an attractive attack vector, despite organisations’ best efforts to validate APIs before releasing them into production,” says Michael Isbitski, technical evangelist, Salt Security. “Given the inability of traditional security and API management platforms to protect against sophisticated attacks that target the unique business logic of APIs, it’s no surprise that attackers continue to be successful, keeping enterprises at risk.” 

Security concerns top the list of worries about API strategies, at 40%

Survey respondents have a variety of concerns about their companies’ API programmes, with 40% citing security as their leading worry. Insufficient investment in pre-production security takes the top spot, at 22%, and another 18% of respondents are concerned that the programme doesn’t adequately address runtime or production security. Insufficient investment in fleshing out requirements and documentation is the leading concern for 19% of respondents.

Most enterprises are unprepared for an API attack

Highly publicised security incidents and pleas from security professionals to implement API security protections have not been enough to drive the majority of organisations to adopt effective API security strategies. Among survey respondents, 34% have no strategy in place, and slightly more than a quarter (27%) have just a basic strategy. Only 11% have an advanced strategy that includes dedicated API testing and protection.

Findings also support the notion that budget and skills gaps play a role in this lack of preparedness. Lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles for implementing an optimal API security strategy. 

An overreliance on “shift left” practices continues to fail the enterprise

With runtime protection being fundamental to effective API protection and 95% of respondents having experienced an API security incident within the last year, “shift left” tactics for API security are proving inadequate. This issue is magnified as IT teams continue to be divided over “ownership” of API security. More than half of survey respondents say the primary responsibility sits with developers, DevOps, or DevSecOps. Only 31% of respondents put the responsibility of API security onto AppSec or InfoSec teams.

WAFs and API gateways continue to miss API attacks

Reliance on traditional security and API management tools, such as web application firewalls (WAFs) and API gateways, has left many organisations with a false sense of security. With 95% of respondents having experienced an API security incident in the last year, the fact that 55% are relying on alerts from gateways and 37% are using WAFs to identify attackers shows the gap in capabilities. Reliance on log file analysis (45%) for API security is similarly ineffective by the time log files are parsed through, attackers are long gone with the valuable data and payloads they sought.

Stopping API attacks remains top criterion for an API security platform

For the third time in a row, more respondents (42%) cited stopping API attacks as the most important capability they seek in an API security platform. Identifying which APIs expose personal identifiable information (PII) and sensitive data follows as a close second (41%). The ability to harden APIs over time came in third (38%), and meeting compliance or regulatory requirements came in fourth (36%).

Additional findings from the State of API Security Report:

  • The risk of “zombie” or outdated APIs tops the list of API security concerns, with 43% of respondents citing it as their top worry. Account takeover came in second, with 22% focused on that risk as their biggest concern.
  • API changes are on the rise – 9% of respondents update their APIs every day, 31% do so weekly, and 24% update less often than every month.
  • 94% of exploits within the Salt customer base happen against authenticated APIs.
  • 86% of respondents lack the confidence that they know which APIs expose sensitive data.
  • 85% of respondents noted that their current tools are ineffective in stopping API attacks.
  • 83% of respondents lack full confidence in their API inventory.

API security is improving how security teams work

Although organisations are highly disparate in their perspective on who should bear responsibility for API security, collaboration and shared input between Security and DevOps teams are rising. More than a third of respondents (34%) say that security teams collaborate more with DevOps as a result of addressing API security, and another 30% state that DevOps seeks input from security teams to shape API guidelines. Another 25% of organisations are embedding security engineers within DevOps teams in response to the challenge. The survey also found that more security teams are highlighting the OWASP API Top 10 list of threats 61% in this report vs. 50% six months ago, a positive change for improving API security practices across an organisation. 

The State of API Security Report, Q1 2022 was compiled by researchers from Salt Labs, the research division of Salt Security, utilising survey data from more than 250 security, application and DevOps executives and professionals in addition to anonymised and aggregated empirical data from Salt Security customers obtained through the Salt Security API Protection Platform.

As part of its ongoing commitment to education, Salt Security will host the API Security Summit on March 3, 2022, to equip the community to better address growing API security challenges. To register, click here. To learn more about Salt Security or to request a demo, please visit here.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES
5th Edition Connected Africa announces Telecom Innovation & Excellence Awards 2024 banner

5th Edition Connected Africa announces Telecom Innovation & Excellence Awards 2024

Posted on: April 19, 2024

The International Center for Strategic Alliances (ICSA) has announced the 5th Edition Connected Africa- Telecom Innovation & Excellence Awards 2024, set to be held on 22 May 2024 in Johannesburg, South Africa. Under the theme “Building a Connected Global Economy,” the summit aims to influence the telecom in Africa. With a focus on fostering forward-thinking

Read more
local retailer taking care his business

Facilio launches refrigerant tracking and leak detection software

Posted on: April 19, 2024

Property operations software firm Facilio has announced the launch of its ready-to-deploy refrigerant tracking and leak detection software solution. This is meant for all grocery and convenience store operators who want to implement an automatic leak detection system to identify and mitigate potential refrigerant leaks to achieve 100% compliance.

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more