Digital transformation projects appear to be accelerating faster than organizations’ efforts to secure them, with nearly a quarter (23%) admitting they suffered a breach via production APIs last year, according to Salt Security.
The security vendor polled 250 respondents across a range of job responsibilities, industries and company sizes globally in order to compile its State of API Security Report, 2024
Aside from breaches, almost all (95%) respondents claimed to have encountered API security problems over the previous 12 months, including vulnerabilities (37%), sensitive data exposure (38%), authentication problems (38%), denial of service (21%) and account misuse (24%).
Read more on API security: Attacks Targeting APIs Increased By 400% in Past Six Months
Part of the problem appears to be the rate at which APIs are increasing in these organizations.
The report revealed a 167% increase in API counts over the past 12 months, with two-thirds (66%) of respondents claiming to manage more than 100. Yet they are not stepping up security to manage this expanding attack surface.
Only 8% of responding companies consider their API security strategy to be “advanced” and nearly two-fifths (37%) don’t have one in place at all. Just 58% have processes in place to discover all the APIs in their environment. That’s despite nearly half (46%) claiming that API security is a C-level discussion within their organization.
“Attackers are continuing to take advantage of this, leveraging weak spots within APIs to execute malicious attacks and gain access to company and customer data,” argued Roey Eliyahu, co-founder and CEO, Salt Security.
“With bad actors constantly refining their tactics to discreetly launch API attacks, often through legitimate means, it requires organizations to take a more sophisticated approach to securing APIs. One that encompasses strong API discovery capabilities, a posture governance strategy, and the ability to quickly and efficiently detect active threats and malicious API traffic.”
Just a fifth (21%) of respondents claimed their current API security approaches – like web app firewalls and API gateways – are effective in protecting against attacks. Some 70% highlighted “zombie” APIs as a great or strong concern, up from 54% in 2023.