Salt Security: API Attack Traffic Up 348 Percent

Application programming interface (API) security firm Salt Security released the “Salt Labs State of API Security Report, Q3 2021.” This edition – which was compiled six months after its inaugural report – revealed a series of “significant” challenges in addressing API security. Of note, all Salt customers experienced application program interface attacks, with security topping the list of top API program concerns and “few” confident they can identify and stop an API strike.

Salt’s data concluded a 141 percent uptick in API traffic, with attack traffic increasing 348 percent over the same period, with an average 12.22 million attack calls per month (June 2021).

Meanwhile, organizations tended to use APIs over the year for: platform or system integration (61 percent), digital transformation (52 percent) standardizing or improving app and software development efficiency (47 percent). More troublingly, 64 percent of those surveyed delayed an application rollout due to API security concerns. Top causes for such distress included: lack of pre-production security (26 percent), inadequately addressed runtime security (20 percent) and not driving enough observability and control (14 percent).

Still, security remains the leading concern in API programs, with nearly 50 percent attempt to identify API attackers via a web application firewall or API gateway, with an additional 12 percent admitting they have “no way” to identify such an attack. More troublingly, 62 percent of companies have either no strategy or a basic program in place concerning API security.

Only 39 percent of organizations – which listed “dozens” of APIs in production – have more than a “basic” security strategy for their API program, with over 25 percent having none whatsovever. Top excuses included lack of resources and personnel (30 percent) and budget constraints (24 percent).

Additional statistics included:

  • “Zombie APIs” listed as top concern for 40 percent of respondents, tripling those worried about account takeover.
  • 85 percent doubting API inventory completeness and lacking confidence as to which APIs expose sensitive data.
  • 55 percent citing runtime protection as a top priority.

The report also highlighted changes to approaches to API security, with 33 percent citing security as a primary reason for partnering with peers, 9 percent seeing no change in how security teams conduct their work around API security requirements. Regarding how API security is creating change in security practices, 34 percent pointed to the need to collaborate more with DevOps teams, and an additional 34 percent noting that security engineers are getting embedded within DevOps teams.

Data was collected from 200 security, application and DevOps professionals, as well as anonymized and aggregated empirical data from Salt Security customers, obtained via Salt’s API Protection Platform.