API security professionals at Salt Security have revealed the findings of their latest Salt Labs State of API Security Report, 2024. The research, which analysed survey responses from 250 IT and security professionals, combined with anonymised empirical data from Salt customers, highlights a lack of API security maturity and posture governance across organisations, leading to a rise in API security incidents and attack traffic.
The research found that almost all (95%) survey respondents experienced security problems in production APIs, with 23% suffering breaches as a result of API security inadequacies. The volume of APIs within organisations is also accelerating, with Salt customer data showing a 167% increase in API counts over the past 12 months, and nearly two-thirds (66%) of survey respondents indicating that they are managing more than 100 APIs. With increased API usage, comes an expanded API attack surface putting malicious activity on the rise.
The number of organisations experiencing an attack more than doubled in just a year, jumping from 17% in 2023 to 37% in 2024. Hackers are employing various methods to attack APIs, with a surprising 61% of attacks bypassing authentication altogether. Even internal APIs aren’t safe, as 13% of incidents targeted them specifically. These findings highlight the urgent need for stronger API security measures. Despite this, the research found that only 58% of organizations have processes in place to discover APIs across their infrastructure.
The 2024 report also highlights the ongoing lack of API security maturity. Only 7.5% of organisations consider their API security programs to be ‘advanced’ and alarmingly, over one-third (37%) of the respondents, who have APIs running in production, do not have an active API security strategy in place. Despite this, nearly half (46%) of respondents stated that API security is a c-level discussion within their organisation.
According to the research, API posture governance strategies, which provide a structured framework for managing and securing the entire API ecosystem from design to deployment, also remain a relatively new phenomenon. Only 10% of organisations currently have an API posture governance strategy in place. However, realising its critical importance, almost half (47%) plan to implement such a strategy within the next 12 months.
Zombie APIs, outdated and forgotten parts of software systems, also present a major worry for organisations, with 70% of respondents rating them a high concern, a significant increase from 54% in 2023. This surpasses even traditional security threats like account takeover and denial-of-service attacks, making Zombie APIs a top security risk.
Fast-paced API updates are outpacing traditional documentation methods though. With over a third (38%) of organisations updating APIs weekly and 13% daily, keeping documentation accurate is a struggle. This rapid change, fuelled by AI-generated APIs, leaves many organizations (88%) unsure of their complete API inventory, raising concerns about overall security posture. Despite this, traditional protection is not up to scratch.
Roey Eliyahu, co-founder and CEO, Salt Security, said: “The volume of APIs within organizations are showing no sign of decline, and security teams are struggling to keep pace with the sheer breadth and depth of modern API ecosystems. As illustrated by the findings of our research, attackers are continuing to take advantage of this, leveraging weak spots within APIs to execute malicious attacks and gain access to company and customer data. With bad actors constantly refining their tactics to discreetly launch API attacks, often through legitimate means, it requires organizations to take a more sophisticated approach to securing APIs. One that encompasses strong API discovery capabilities, a posture governance strategy, and the ability to quickly and efficiently detect active threats and malicious API traffic.”