API attack traffic growing at triple the rate of regular API traffic

Salt Security customers experience about 12.2 million attack calls per month

The amount of attack traffic targeting APIs is growing more than three times faster than the rate of regular API traffic, a new report has found.

Salt Security's State of API Security Report is based on six months of customer data obtained through Salt Security's API Protection Platform. It also utilised survey data from more than 200 security, DevOps and application professionals.

Salt Labs, the company's research arm, found that overall API traffic grew 141 per cent in the past six months, while API attack traffic rose by 348 per cent during the same period.

Salt Security said its customers were experiencing an average of 12.2 million attack calls per month by June 2021. As all those customers - at least, according to Salt - have WAFs and API gateways deployed, all of the API attacks 'got past those traditional security controls'.

'Such findings are consistent with broader industry research showing APIs as the dominant application attack vector,' it added.

Few respondents in the survey felt confident about identifying and thwarting API attacks.

When asked about the use of API in their organisation, 61 per cent respondents said they use APIs for system or platform integrations; 52 per cent to drive digital transformation; and 47 per cent to improve or standardise the efficiency of software development.

Nearly two-thirds of respondents (64 per cent) had to delay application rollouts due to API security concerns.

When asked about potential concerns their organisations might have about API programmes, 26 per cent of respondents said they were worried about the lack of pre-production security. Twenty per cent said they were concerned about the programme not sufficiently addressing runtime security.

API abuse will become the most frequent attack vector by 2022, market watcher Gartner has said.

In 2017, hackers leveraged a successful API attack enabled to carry out the Equifax breach, exposing nearly 147 million accounts.

Since then, several API breaches and major bugs have been uncovered at Facebook, Experian, Geico, Peleton and other organisations.

"APIs remain one of the most vulnerable elements of any organisation's application or software stack," said Roey Eliyahu, chief executive of Salt Security.

"Anecdotally, we know we find critical security vulnerabilities in the APIs of 90 per cent of the prospects we support.

"This report quantifies those anecdotal findings, highlighting the API security risks companies are living with every day."