APIs are at the core of modern technology stacks, and power organizations’ digital operations. Facilitating seamless connections between customers and vital data and services, it is no surprise that API usage has, and continues to, accelerate. Given the amount of sensitive information transmitted through them, malicious actors have also taken a keen interest in APIs, devising new attack tactics to exploit them discreetly. API attacks have plagued organizations of all sizes in recent times, implicating some of the largest global brands such as Dell and T-Mobile. Attacks that have led to the theft of personable identifiable information (PII) of millions of customers.
The proliferation of generative AI (GenAI) technology also introduces another layer of complexity, enabling developers to create new APIs at scale within minutes. Organizations’ API ecosystems are growing exponentially, and security teams, as well as traditional protective solutions like API gateways and web application firewalls (WAFs) are ill equipped to keep pace with changing API dynamics. Generative AI also gives malicious actors a leg up, providing the means to launch more plausible attack campaigns in higher volumes and create entirely new AI-based attacks that can evade existing security parameters.
Our recent research report, the Salt Security State of API Security Report 2024, exposed many of the ongoing criticalchallenges that organizations face when trying to secure their API ecosystems. Most alarmingly, almost all (95%) of our survey respondents experienced security problems in production APIs within the past 12 months, with 23% suffering breaches due to API security inadequacies. This paints a clear picture – traditional API security controls and mechanisms are no match for protecting APIs, given their complexity, varying use cases and unique behavioral attributes. In addition, the steep rise in API usage contributes to this problem, with nearly two-thirds (66%) managing more than 100 APIs.
The research also uncovered that most API security programs remain predominantly immature, despite nearly half (46%) indicating that API security is a C-level discussion within their organization. Less than 10% of organizations have an advanced API security program, and over one-third (37%) of organizations with APIs running in production do not have an active API security strategy. While rising threat levels has forced organizations to expedite their API security efforts and adopt purpose-built solutions, an accompanying strategy is often an afterthought. This component is essential for ensuring APIs are protected across their complete lifecycle.
A successful API security strategy starts deep and continuous discovery to find all APIs within the ecosystem. This knowledge helps to establish a robust API security posture governance program that spans from initial design to deployment. API posture governance programs will help organizations gain complete assurance into their API landscape and acquire API asset intelligence. Intel which can then be leveraged to eliminate blind spots, and establish corporate-wide security standards and regulations across their entire API ecosystem. Posture governance provides the foundation for effective threat protection. API attacks are predominantly logic-based, so API behavioral anomaly detection is difficult and requires a substantial volume of data and cloud compute power to identify anomalous behavior accurately.
An API posture governance program provides organizations with the necessary context and API intelligence to establish and maintain a robust security baseline. This comprehensive understanding allows security teams to proactively identify and mitigate potential risks, ensuring that APIs adhere to established standards and best practices throughout their lifecycle. By continuously monitoring and assessing API configurations, and vulnerabilities, organizations can effectively reduce their attack surface and minimize the likelihood of a security incident.. While only 10% of organizations currently have an API posture governance strategy in place, according to our research, many organizations acknowledge its importance, and nearly half (47%) plan to implement such a strategy within the next 12 months.
Protecting APIs requires organizations to take this proactive approach. While implementing purpose-built solutions that can detect malicious actors and behavioral anomalies is crucial, it must also be accompanied with ongoing posture governance initiatives that improve overall API security posture. These initiatives will prevent cyber criminals from evading an organization’s perimeter in the first instance and create stronger, more compliant API ecosystems.