API attacker activity up 400 percent in six months
The latest State of API Security Report from Salt Security shows a 400 percent increase in unique attackers in the last six months.
In addition, around 80 percent of attacks happened over authenticated APIs. Not surprisingly, nearly half (48 percent) of respondents now say that API security has become a C-level discussion within their organization.
The report also reveals that 94 percent of survey respondents experienced security problems in production APIs in the past year, with 17 percent saying their organizations suffered a data breach as a result of security gaps in APIs.
"The rapid increase in attacks in addition to the data provided by our survey respondents reflect a growing understanding in the C-suite about the importance of purpose-built API security to reduce business risk," says Roey Eliyahu, co-founder and CEO, Salt Security. "Powered by APIs, ongoing digital transformation continues to deliver new business opportunities and competitive advantages. However, the cost of API breaches, such as those experienced recently at T-Mobile, Toyota, and Optus, put both new services and brand reputation, in addition to business operations, at risk. With bad actors continuing to find new and unexpected ways to attack APIs, organizations need to get serious about securing these critical assets."
More than half of respondents (59 percent) report they have had to slow the rollout of new applications because of API security concerns. While just 23 percent of respondents believe their existing security approaches are very effective at preventing API attacks.
When asked about the most concerning API security risks 54 percent of respondents say outdated or 'zombie' APIs are a high concern, up from 42 percent in the last quarter. (Zombie, or outdated, APIs have been the number one concern in the past five surveys from Salt.) 43 percent say account takeover (ATO) is a high concern but only 20 percent cite shadow APIs as a top concern, yet it is likely that most environments are running APIs that are not documented. Indeed only 18 percent of respondents say they are very confident that their API inventories provide enough detail about their APIs and the PII or sensitive data within.
You can get the full report on the Salt Security blog.
Photo Credit: Panchenko Vladimir/Shutterstock