A lack of visibility and management capabilities of APIs is putting enterprises at risk of severe attacks.
Salt Security found more clients than ever were struggling to deal with upstream attacks and management challenges associated with developer access to APIs, according to a new report from the applications security vendor.
In its 2024 State of API Security Report, 29% of respondents said their companies do not properly flesh out their API requirements and documentation, and 25% believe their company's APIs do not provide adequate security documentation.
“This lack of visibility into the full API ecosystem creates significant security blind spots and makes it difficult to identify and address vulnerabilities,” Salt Security said in its report.
“This incomplete API inventory provides immense challenges to providing posture governance strategies across all APIs.”
Attacks on APIs are particularly severe because a single compromise can result in a supply chain attack that leaves multiple downstream clients vulnerable to further attacks and network breaches.
As a result, the companies surveyed had little confidence in their security protections and a number blamed APIs for their network breaches.
Of the 250 IT and security professionals surveyed, 23% said they experienced a data breach as a result of vulnerabilities in production APIs, and a further 38% said they experienced some type of data exposure as the result of an API breach.
“API security incidents have more than doubled in the past year due to the rapid increase in API usage, creating a vast and expanding attack surface for malicious actors to exploit,” Salt Labs claimed.
The report comes from an admittedly small set of respondents, but suggested that the ability to check and secure APIs remained a major concern for developers and enterprises.
Still, the security vendor believed that the findings point to a major shift in security focus towards developer and API security as companies look to get away from upstream attacks and supply chain compromises.
“While the security landscape is in a state of flux, some things remain the same — outdated or ‘zombie’ APIs are the most critical concern for survey respondents, following the trend of last year’s report,” the company said.
“However, now account takeover/misuse is also high ranked with 46% of respondents claiming it to be a main concern.”
