Salt Security has released the Salt Labs State of API Security Report, Q3 2021, which reveals challenges in addressing API security, with all Salt customers experiencing API attacks, security topping the list of API program concerns, and very few respondents feeling confident they can identify and stop API attacks. In the past six months, Salt customer data shows overall API traffic has increased 141% – in the same time period, API attack traffic grew a staggering 348%.
The report findings illustrate the security consequences of the rapid growth in API use driven by digital transformation and IT modernization projects.
Organizations rely on APIs for a broad range of business-critical initiatives. This latest edition of the State of API Security Report found that 61% of survey respondents use APIs for platform or system integrations, 52% use them to drive digital transformation, and 47% use them to standardize or improve the efficiency of application and software development. These critical initiatives are suffering set-backs, however, with 64% of respondents delaying application rollouts as a result of API security concerns.
Among the potential concerns respondents might have about their API programs – from impact on application delivery to documentation to pre-production security to testing – security topped the list. Worries over a lack of pre-production security was the leading response (26%), followed closely by concerns about the program not adequately addressing runtime security (20%). The next closest area of concern hit considerably lower on the list – not driving enough observability and control (14%).
“Developers write APIs, so they should be responsible for securing APIs.” This perspective actually increases organizational risk. More than half of survey respondents put responsibility for API security on the API team, developers, and DevOps teams – at the same time, 94% of respondents have experienced an API security incident in the past 12 months. No one writes perfect code, and most need to see APIs in action in runtime to see business logic flaws. Remediation insights that help developers improve APIs are crucial but they’re not the full answer.
Nearly half of respondents are trying to identify API attackers via their WAF or API gateway, and 12% admit they have no way to identify an API attacker.
Every organization in this latest survey has dozens of APIs in production, but only 38% have more than a basic security strategy for their API program. More than a quarter have no strategy at all. What’s keeping these organizations from crafting a robust plan? A lack of resources/people (30%) and budget constraints (24%) are the top limiting factors.
Findings from the report also highlight that approaches to API security are changing as collaboration between security and DevOps teams increases. One-third of respondents cited security as a primary reason for partnering with their peers, and only 9% saw no change in how security teams are conducting their work around API security requirements.
When survey respondents were asked about how API security is creating changes in how security professionals do their job, the majority was split with 34% agreeing that security must collaborate more with DevOps teams and 34% noting security engineers are getting embedded within DevOps teams.