Cybersecurity company Salt Security has put together a new report centered around the security of APIs, which help back most of the apps used throughout the day.
Experts have long worried about the security risks associated with the widespread use of APIs, with Gartner writing in a report that by 2022, API abuse will become the most common attack seen by security teams. In a 2019 study, Gartner found that 40% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the user interface and predicted that the figure would rise to 90% by 2021.
Salt Security’s “The State of API Security – Q1 2021” confirms many of those fears, finding that of the nearly 200 enterprise security officials surveyed, 91% experienced an API security incident last year.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Within Salt’s own customer data, researchers found that 56% of customers faced between 10 and 55 attacks per month while 22% dealt with anywhere between 51 and 200 attacks each month.
“In today’s digital economy, APIs are the direct gateway to organizations’ most critical data and assets. Built to enable customers and partners, these APIs create risk by also providing a path for attackers to follow,” said Roey Eliyahu, CEO and co-founder of Salt Security.
“As APIs have grown in volume and functionality, they’ve made ever more attractive targets for hackers, driving up the number and sophistication of API attacks.”
The study features insights gleaned from a survey of about 200 CIOs or people involved in cybersecurity and DevOps as well as anonymized data from Salt Security’s customers.
In general, Salt found that last year, overall per-customer average monthly API call volume grew from 272 million calls per month to 410 million by the end of 2020, mostly through some combination of new functions in existing APIs, new API endpoints, and new APIs.
But with that increase in calls came a corresponding rise in malicious traffic targeted at APIs, with Salt Security measuring a 211% increase in malicious traffic in 2020. While small, the percentage of malicious traffic went from 0.45% of all customers’ API traffic to 1.40%.
“The vast majority of organizations are experiencing API security problems, few have the tools needed to cope, and most have had to delay innovation as a result,” Salt Security’s researchers wrote in the study.
A lack of security strategy
Alarmingly, the survey found that more than 25% of organizations running production APIs have no API security strategy at all.
These production APIs were of particular concern considering more than half of all respondents found a vulnerability in them specifically, and the report notes that these kinds of security gaps are often left until an attacker tries to exfiltrate data and misuse accounts.
API security concerns have also been a reason why organizations have delayed the deployment of new applications, according to 66% of respondents. API security is the main concern for almost half of all respondents.
Over the last 12 months, 54% of respondents said they have found vulnerabilities in production APIs and another 48% said they had authentication problems. Others cited issues with bots, scraping, and denial of service.
The study notes that all customers of the security company have seen attacks that were able to get past WAFs and API gateways yet more than half of the respondents in the survey said they use alerts from WAFs or API gateways to identify API attacks.
Almost 60% of respondents also said they use log files to identify attacks but a tenth of respondents said they had no way to identify any API attacks. Nearly 80% classified their current API attack identification systems as only “somewhat effective.”
“The bad news is that such a high percentage of respondents running production APIs lack any kind of API security strategy,” researchers wrote in the study. “The good news is that two-thirds of respondents say their security teams have a focus on the OWASP API Security Top 10 threats. The conundrum is how so many organizations haven’t translated that OWASP API Top 10 focus into an API security strategy.”
Issues with inventories and “zombie” APIs
Organizations are also having issues creating inventories of their APIs, according to the study. The report said API documentation is often missing, incomplete, or inaccurate and found that 83% of respondents “lack confidence in their API inventory.” Among Salt Security’s customers, it was common to find eight times the number of APIs that the enterprise had on record.
Postman and Swagger were the most popular mechanisms used to inventory APIs, with 42% of respondents saying they used Postman while 41% used Swagger. Another 28% said they used the OpenAPI Generator.
Due to the concerns expressed about API inventories, there was a corresponding fear of outdated and “zombie” APIs. Almost 60% cited this as a risk related to API security that they were concerned about in addition to fears of account takeovers or misuse.
More than 60% of respondents said one of the most valued tools they look for is the ability to identify which APIs expose personally identifiable information and the second most popular was the ability to stop attacks outright.
Almost 85% of professionals who responded to the survey said they lacked confidence in knowing which APIs exposed personally identifiable information.
“Nearly a quarter of organizations admit they have no way to know which APIs expose PII – a direct result of an incomplete API inventory and inaccurate documentation. The majority of organizations depend on developer-created documentation and/or API gateways to understand PII exposure and clearly lack confidence that these approaches are complete and provide enough details,” the study said.
“Most organizations with API gateways have multiple platforms, often from a mix of providers, and no consolidated API management, making it difficult to gain a definitive view of all production APIs.”
Salt Security’s exploration of its customers found that 91% of APIs expose some kind of sensitive data, ranging from basic account information to personally identifiable information. In the survey, 22% said they had no idea which APIs exposed personally identifiable information and 57% said they rely on documentation that comes from developers.
When asked who is responsible for monitoring the security of APIs, 25% said it was the job of developers at the enterprise whale 21% said it was under the control of the DevSecOps team and 14% said they had an API team.
“We compiled the industry’s first State of API Security Report to better understand the enterprise experience of APIs today,” Eliyahu added. “The study makes clear that companies’ current approaches for securing APIs have gaps that leave them at risk. It also highlights how organizations need new approaches to API security if they are to continue innovating safely and remain competitive.”