The latest State of API Security Report by Salt Security has highlighted the ongoing challenges faced by organisations in securing their application programming interfaces (APIs). The Salt Labs State of API Security Report Q1 2025 draws on survey responses from over 200 IT and security professionals, alongside anonymised data from Salt Security’s customer base, to provide a detailed overview of the current API security landscape.
The report reveals that API security remains a significant concern, with 99% of respondents reporting encountering security issues within the past year. Furthermore, 55% of organisations have experienced delays in application rollouts due to API security worries. Analysis of prevalent security challenges in live APIs identified vulnerabilities, such as injection attacks and Broken Object-Level Authorization (BOLA), as the leading issue (37%), followed by sensitive data exposure (34%) and authentication weaknesses (29%).
The increasing use of generative AI (GenAI) has compounded these challenges. 47% of respondents expressed concerns about securing AI-generated code, while 40% cited potential vulnerabilities introduced by such code as a key risk. Notably, only 11% of respondents dismissed GenAI applications as a growing security concern within their organisations.
Salt Labs’ analysis of customer API traffic indicated that 95% of API attacks originated from authenticated sources, suggesting that traditional authentication-centric security measures are no longer sufficient. Additionally, 98% of attack attempts targeted external-facing APIs, confirming that publicly accessible APIs remain the primary target for malicious actors.
The report emphasises the importance of API posture governance strategies, which involve establishing and deploying consistent security standards across an organisation’s API ecosystem. However, only 10% of organisations currently have such a strategy in place. Encouragingly, 43% plan to implement one within the next 12 months, reflecting a growing awareness of the need for proactive security measures.
Despite 69% of organisations increasing their API security budgets by over 5%, the overall maturity of API security strategies remains low. 59% of respondents are still in the planning or basic stages, with only 6% reporting advanced programmes. Budget constraints, resource limitations, and inadequate tooling were cited as key obstacles to progress.
Analysis of attack techniques revealed that 80% of attack attempts align with the OWASP API Security Top 10 list. Specifically, security misconfigurations (API8) accounted for 54% of attacks, while broken object-level authorisation (API1) represented 27%.
The report also highlighted the rapid growth in API adoption, with 30% of organisations reporting a 51-100% increase in the number of APIs they manage over the past year, and 25% experiencing growth exceeding 100%. 43% of organisations now manage up to 100 APIs, while 34% oversee between 101 and 500 APIs daily.
To mitigate GenAI risks, organisations are implementing various strategies, including developer training (56%), specialised AI security tools (37%), and code reviews and security testing (40%).
Measuring the return on investment (ROI) of API security is crucial for aligning security initiatives with organisational goals. 37% of organisations evaluate improvements in compliance posture, 25% measure cost savings from preventing breaches, and 16% track reductions in API-related security incidents.
Finally, the report exposed significant gaps in API monitoring and inventory management. Only 15% of respondents expressed strong confidence in the accuracy of their API inventories, while 34% admitted a lack of visibility into sensitive data exposure through APIs. Worryingly, only 20% have measures in place for continuous API monitoring.
