Salt Security Survey Surfaces API Security Weaknesses
A survey of more than 250 security, application and DevOps executives and professionals published today by Salt Security found 95% of respondents experienced a security incident involving application programming interfaces (APIs) in the last 12 months, with 62% reporting they slowed down the rollout of an application because of API security concerns.
At the same time, Salt Security revealed that malicious API traffic, discovered via its API security platform, increased 681% in the last 12 months. According to the company, a total of 12% of Salt Security customers are now seeing, on average, more than 500 attacks every month. A full 96% of exploits within the Salt Security customer base are targeted at authenticated APIs.
Despite that level of activity, however, more than a third of the survey respondents (34%) admitted they didn’t have an API security strategy in place. Just over a quarter (27%) have a basic strategy, while only 11% have an advanced strategy that included dedicated API testing and protection, the survey found.
A full 86% of respondents lacked the confidence that they know which APIs expose sensitive data, while 85% of respondents noted that their current tools are ineffective in stopping API attacks. An equal number of respondents said they lacked full confidence in their API inventory.
The risk of “zombie” or outdated APIs tops the list of API security concerns (43%) followed by account takeover (22%). The survey also found lack of expertise or resources (35%) and budget constraints (20%) are the top obstacles for implementing an optimal API security strategy.
Overall, the survey found stopping API attacks was the most important capability sought in an API security platform (42%), while identifying which APIs exposed personal identifiable information (PII) and sensitive data was a close second (41%) followed by the ability to harden APIs over time (38%) and meeting compliance or regulatory requirements (36%).
Michelle McLean, vice president of marketing for Salt Security, said that while security teams are still largely responsible for protecting APIs there is a clear need for more collaboration with the application development teams to make sure all the APIs being used are truly secure.
Unfortunately, more than half of survey respondents said the primary responsibility resided with developers, DevOps or DevSecOps. Only 31% of respondents said the responsibility for API security lies with application or information security teams. The issue that creates is most developers lack the cybersecurity expertise required to secure the APIs they develop. It’s much more effective for security teams to protect APIs at runtime using platforms specifically designed for that purpose, she noted.
On the plus side, the survey found more than a third of respondents (34%) said that security teams collaborate more with DevOps as a result of the need to address API security and another 30% stated that DevOps sought input from security teams to shape API guidelines. Another 25% are embedding security engineers within DevOps teams in response to the challenge. The survey also found that more security teams (61%) are now highlighting the OWASP API Top 10 list of threats, an increase of 11% compared to a previous survey Salt Security conducted six months ago.
Overall, security, at 40%, is the top concern organizations have when it comes to their API strategy, Specific challenges included insufficient investment in pre-production security (22%) and lack of runtime or production security (18%).
The level of API security attained and maintained, however, varies widely. The fact that more than half of respondents (55%) are relying on alerts from gateways, followed by 45% using log file analysis and 37% using web application firewalls (WAFs) to identify attackers showed the gap in capabilities.
The survey suggested that keeping pace with the rate of change in APIs—thanks to, for example, increased reliance on microservices-based applications to drive digital business transformation initiatives—is only going to make securing APIs more challenging. Just under a third (31%) of respondents updated their APIs weekly and only 9% updated APIs every day.
Salt Security’s McLean said that despite all the hype around shifting responsibility for application security further left toward developers, as a practical matter, it will be security teams that will mainly rise to the challenge. The issue is not so much how to teach security best practices to developers as much as it is finding a way to secure external and internal APIs that are being deployed today, she noted.
There’s no doubt that cybercriminals are taking a lot more interest in APIs as a way to surreptitiously exfiltrate data. The challenge is finding a way to prevent these attacks from doing irreparable harm sooner rather than later.
