Attacks on APIs are more relentless than ever

Bad actors targeting internal and authenticated APIs.

  • 11 months ago Posted in

Salt Security has released the Salt Labs State of API Security Report, Q1 2023. This fifth edition of the report found that attackers have upped their activity, with Salt customer data showing a 400% increase in unique attackers in the last six months. In addition, about 80% of attacks happened over authenticated APIs. Not surprisingly, nearly half (48%) of respondents now state that API security has become a C-level discussion within their organisation. The report also revealed that 94% of survey respondents experienced security problems in production APIs in the past year, with 17% stating their organisations suffered a data breach as a result of security gaps in APIs. The findings from Salt Labs highlight why 2023 has been dubbed the “Year of API Security.”  

The State of API Security Report pulls from a combination of survey responses and empirical data from Salt customers. This year’s report provides the deepest insights yet, including “in the wild” API vulnerability research from Salt Labs that demonstrates how respondents’ top concerns in API security manifest in real-world scenarios. 

“The rapid increase in attacks in addition to the data provided by our survey respondents reflect a growing understanding in the C-suite about the importance of purpose-built API security to reduce business risk,” said Roey Eliyahu, co-founder and CEO, Salt Security. “Powered by APIs, ongoing digital transformation continues to deliver new business opportunities and competitive advantages. However, the cost of API breaches, such as those experienced recently at T-Mobile, Toyota, and Optus, put both new services and brand reputation, in addition to business operations, at risk. With bad actors continuing to find new and unexpected ways to attack APIs, organisations need to get serious about securing these critical assets.”

API security has emerged as a significant business issue, not just a security problem.

API security has become a critical business issue for survey respondents' organisations, as indicated by application rollout delays, heightened awareness of API security breaches, and a lack of confidence in existing API security approaches. Specifically:

More than half of respondents (59%) report they have had to slow the rollout of new applications because of API security concerns. 

Just 23% of respondents believe their existing security approaches are very effective at preventing API attacks.

48% of survey respondents say that API security has become a C-level discussion over the past year. That percentage runs even higher within heavily regulated industries, such as Technology (59%), Financial Services (56%), and Energy/utilities (55%). 

 

The top two most valued API security capabilities are to stop attacks and identify PII exposure. The ability to implement shift-left practices rated the lowest. 

Survey respondents cited the following as the most “highly important” API security capabilities:

44% cited the ability to stop attacks.

44% cited the ability to identify which APIs expose PII or sensitive data.

38% cited meeting compliance or regulatory requirements.

22% cited the ability to implement shift-left API security practices.

 

Attackers are more relentless than ever. 

Salt customer data shows that API attacks are on the rise and bad actors are targeting internal and authenticated APIs. Data from the Salt cloud shows:

78% of attacks come from seemingly legitimate users but are actually attackers who have maliciously achieved the proper authentication. 

8% of attack attempts are perpetrated against internal-facing APIs, typically left entirely unprotected. 

4,845 unique attackers operated in December 2022 – a 400% increase from just six months earlier. 

 

“Zombie” APIs followed by ATO top the list of API worries.

When asked about the most concerning API security risks: 

54% of respondents said outdated or "zombie" APIs are a high concern, up from 42% from last quarter. (Zombie, or outdated, APIs have been the #1 concern in the past five surveys from Salt, likely the result of increasingly fast-paced development as organisations seek to maximise the business value associated with APIs.)

43% stated account takeover (ATO) as a high concern. 

Only 20% cited shadow APIs as a top concern. Given API documentation challenges, it is likely most environments are running APIs that are not documented and that the risk in this area is likely higher than many respondents realise.

 

Most API security strategies remain immature.

The survey found that the vast majority of organisations still lack mature API security programs:

Only 12% of respondents consider their API security programs to be advanced and include dedicated API testing and runtime protection, up from 10% in Q3 2022.

30% of respondents have no current API security strategy, despite all respondents having production APIs in place. Of those, 25% say they’re in planning stages, while 5% say API security plans are non-existent.

 

Vulnerabilities discovered in the wild represent a critical concern. 

Companies large and small have many unknown security gaps. The report notes:

90% of investigations undertaken by Salt Labs uncover API security vulnerabilities, and 50% of those vulnerabilities discovered should be considered critical. 

41% of survey respondents stated that they had identified a vulnerability in their production APIs, a number that has fluctuated between 39% and 55% since the initial survey but a number that is most likely substantially higher in reality, according to Salt Labs.

 

Additional interesting findings from the State of API Security Report include:

Only 18% of respondents say they are very confident that their API inventories provide enough detail about their APIs and the PII or sensitive data within.

Organisations continue to update their API frequently –  37% of organisations update their APIs at least weekly, up from 32% in Q3 2022, and 9% update their primary APIs on a daily basis.

OAS and Swagger files are updated at least weekly in only 12% of organisations. 20% update documentation at no regular cadence, and 23% update it approximately every six months. These gaps reinforce the shortcomings of relying on shift-left practices for securing APIs.

Just about half the respondents (54%) say their security team highlights the OWASP API Security Top 10 in their security program, an unfortunate finding given that 66% of attempted attacks within the Salt customer base leveraged at least one of the ten methods on that list.

 

Implications for API security 

The survey results from the Q1 2023 State of API Security Report are clear. Respondents overwhelmingly stated that reliance on APIs is continuing to grow as APIs become ever more imperative to their organisations' success. At the same time, APIs are getting harder to protect as attacks increase and traditional tools and processes cannot stop them. Organisations must move beyond yesterday’s security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and provides a broad range of protections that foster collaboration across teams. 

Joint customers achieving 70%+ cost savings and 100% success migrating from Oracle Java to Azul’s...
Snowflake report unearths Python as the programming language of choice for AI development, while...
Survey respondents confirm built-in security and compliance are delivered by self-service...
Companies are turning to specialized work groups, AI to encourage Java productivity.
Global study of CISOs, AppSec leaders and developers reveals that business pressures are a primary...
Eficode’s annual DevOps trends pinpoint key areas that will define the intersection of AI and...
Carefully managing Generative AI’s potential through DevOps and an increased focus on compliance...
Expanded solution brings cloud infrastructure, SaaS apps and externally exposed assets together for...