Salt Security Report Exposes API Security Problems Vyom Srivastava June 20, 2023 The State of API Security Report Q1 2023, released by Salt Security earlier this year, provides an in-depth look at the current state of API security and the steps organizations should take to protect their API infrastructure. In this blog post, we’ll take a comprehensive look at the report’s findings and explore the key topics it covers, including the prevalence of API security vulnerabilities, the various attack vectors, and recommendations for improving API security. Summary of the State of API Security in 2023 The report revealed that 94% of respondents experienced security problems in production APIs over the past year, with 17% having experienced an API-related breach. Attackers have upped their pace with a 400% increase in unique attackers over the same period six months ago. Furthermore, 78% of attacks come from seemingly legitimate users but are actually attackers who have maliciously achieved the proper authentication. 8% of attacks are perpetrated against internal APIs. It is not just hackers that organizations need to worry about, however. 59% of survey respondents have experienced application rollout delays due to security issues identified in APIs, and 48% say that API security is now a C-level discussion. These findings demonstrate the importance of having robust API security strategies in place. Organizations must assess their current risk level and ensure they enable frictionless API security across all their application environments while focusing on robust runtime security and not over-relying on shift-left tactics. The Salt Security Report 2023 is an in-depth look into the current state of API security. According to the survey results, 41% of respondents stated they had experienced API vulnerabilities, yet the research by Salt Labs suggests that this number is severely underestimated. Their investigations found that API security vulnerabilities are present 90% of the time, with 50% considered critical. Organizations primarily rely on traditional approaches to API security, such as WAFs, API gateways, and analyzing log files. Yet, only 23% find these methods to be very effective. This could explain why only 12% of respondents believe their API security programs are advanced, and 30% say they are either nonexistent or in planning. The report also reveals that only 19% of respondents were very confident that they have a complete API inventory. Additionally, 37% of organizations update their APIs at least weekly, and only 18% are very confident they understand which APIs expose PII data. Overall, the findings show that APIs are at the core of every modern application, and attackers continue their efforts at unprecedented rates. Organizations must get serious about securing their APIs to ensure they are not vulnerable to exploitation. Recommendations and Conclusions The Q1 2023 State of API Security survey results show that reliance on APIs is continuing to grow, and current tools and processes can’t keep pace with new attack trends. To ensure the security of APIs, organizations should move to a modern security strategy that addresses security at every stage of the API lifecycle. When building a more robust and manageable API security program, organizations should consider the following tips: Define a robust API security strategy. API security is essential for protecting the applications and data increasingly exposed through modern APIs. Unfortunately, many companies find that traditional web application firewalls (WAFs) and API gateways do not provide enough protection against sophisticated API attacks. Companies must define and execute an API security strategy that covers the complete API lifecycle and addresses cross-functional responsibilities to protect their applications and data. Some components of a comprehensive API security program include: API design analysis and drift analysis to identify any changes that can lead to vulnerability Automatic and continuous discovery of all APIs within an organization Augmented runtime protections to detect anomalous API usage A feedback loop for developers to use runtime insights to harden APIs Training for SecOps teams to understand and triage API security incidents A clear model for shared responsibility across functional groups Assess your current level of risk. When it comes to API security, it’s essential to understand the level of risk you are exposed to. To do this, you need to validate your current API designs against API security best practices and check for authentication and authorization controls throughout the sequence of API calls. Additionally, it’s important to launch simulated attacks based on the OWASP API Security Top 10 list and emulate the tactics of well-known API security incidents of 2022. Lastly, assess the gaps in protection from WAFs and API gateways to ensure a complete level of security. Enable frictionless API security across all your application environments. APIs are the foundation of all application development. From microservices to mobile applications, these programmatic connections have become the core of the modern application stack. A frictionless security approach is necessary to secure the full range of APIs in use. This means applying API discovery and runtime protection on-prem, in the cloud, on legacy apps, and container and Kubernetes deployments. When looking for an API security platform, it is important to ensure that it does not require inline deployments, agents, or the need to instrument code, as this can impact application performance and cause blaming of the security platform. A frictionless API security platform should be able to be applied without any impact on the applications themselves. Focus on robust runtime security: Runtime protection is a must-have for protecting web APIs and other systems. It provides immediate and continuous risk reduction while attackers perform extensive reconnaissance to identify vulnerabilities, probe systems with subtlety to avoid tripping coarse security protections, and attempt exploits. To be effective, an API security platform must be able to capture millions of data points over a long period of time. This data is then processed in near real-time with AI and ML to discern the reconnaissance activities of a bad actor and enable robust analysis. However, to successfully detect attacks, cloud-scale big data and mature AI algorithms are required — not on-prem API security and immature AI and ML. Don’t over-rotate on shift-left tactics. Shift-left and secure build pipeline approaches have their merits, but most API security gaps can only be detected in runtime. It is therefore essential to look for an API security platform that complements pipeline testing and OAS analysis with robust runtime protection. Shift-left tactics can take longer to deliver value, describes the report, as they can only identify a fraction of API security gaps, leaving security teams dependent on developers. Rather than investing too heavily in shift-left approaches, getting APIs protected with runtime security could help harden APIs quickly. This will also allow security teams to more quickly identify, detect and respond to API threats. Final Words The Salt Security Report is an in-depth report on the state of modern web application security, compiled from data from over three million data points and 200,000 applications, as well as survey responses. The report provides a comprehensive view of the current application security landscape and identifies key trends, challenges, and best practices to guide security practitioners. This report provides insights into the threats facing organizations and companies that use web and API technologies, including analysis of real-world attacks, top risks, and industry trends. Additionally, the report includes guidance from leading security experts and provides actionable recommendations to help organizations strengthen their defenses.