Malicious API traffic has increased 681 percent in the last year, set against a 321 percent increase in overall API traffic.
A new report from API security specialist Salt Security shows 95 percent of surveyed organizations have experienced an API security incident in the past 12 months.
But despite the dramatic increase in attacks and incidents, these organizations — all of whom are running production APIs — remain unprepared for API attacks, with 34 percent of respondents lacking any kind of API security strategy.
“To thrive today, every company must be a software company, and APIs reside at the heart of their application innovation. Digital businesses have emerged as the leaders of our modern economy, and at the same time, they’ve become the leading targets for bad actors,” says Roey Eliyahu, co-founder and CEO, Salt Security. “We’re seeing API attacks accelerating significantly year over year. Even more concerning, the pace of growth in API usage and attacks continues to outpace enterprise readiness and defenses. Organizations must invest the time and effort to understand the API attack landscape and the critical capabilities needed to protect their most vital assets.”
Perhaps not surprisingly 62 percent of survey respondents acknowledge having slowed down the rollout of a new application because of API security concerns.
Security is the top API worry, with insufficient investment in pre-production security taking the top spot, at 22 percent, another 18 percent of respondents are concerned that the program doesn’t adequately address runtime or production security. Insufficient investment in fleshing out requirements and documentation is the leading concern for 19 percent of respondents.
When it comes to dealing with attacks, 34 percent have no strategy in place and 27 percent have just a basic strategy. Only 11 percent have an advanced strategy that includes dedicated API testing and protection.
There’s also a division over responsibility, more than half of survey respondents say the primary responsibility sits with developers, DevOps, or DevSecOps. While only 31 percent put the responsibility for API security onto AppSec or InfoSec teams.
You can find out more in the full report which is available from the salt Security site.
Photo Credit: Panchenko Vladimir/Shutterstock