Skip to main content
banner image
venafi logo

State of API Security: Steep growth in API Attack Traffic

State of API Security: Steep growth in API Attack Traffic

May 16, 2022 | Anastasios Arampatzis

Organizations use APIs to enable different applications to communicate with each other, share data, and use common services to help deliver and streamline functionality for users. Because of the growing importance of APIs to business, API security is a crucial element of an organization’s cybersecurity strategy. Despite that, organizations seem to lag in API security according to the latest API Security Report by Salt Security. Poor API authentication remains one of the top issues that facilitate attacks. API authentication and authorization rely on machine identities and API keys that can be vulnerable to theft and misuse.

What if you could eliminate certificate outages forever? Learn about our No Outage Guarantee!
Key API security report findings

The State of API Security Report from Salt Labs focuses on API security risks, challenges, and strategies. The survey data reflects the input of more than 250 respondents, with 26% of respondents having doubled the number of APIs in use from a year ago, and 5% have more than tripled the count.

As organizations continue to transform their ways of working, and as developers built more applications and APIs for services, attackers change their tactics, making APIs their prime target. In the last 12 months, API attack traffic saw an increase overall of 168%.

A sizeable 62% of respondents delayed application rollouts because of API security concerns. It is evident that organizations face an urgent need to reduce security risks around APIs to continue to innovate quickly and for their businesses to flourish.

Despite robust efforts to validate APIs before deploying them into production, nearly every company is finding security problems in their production APIs. Vulnerabilities are the leading challenge, with 39% of respondents identifying them in their production APIs. Authentication problems are the next most common issue, at 32%, followed closely by sensitive data exposure at 30%.

While non-authenticated APIs or APIs with weak authentication mechanisms create security gaps, 94% of exploits are happening against authenticated APIs, a clear indication that API security is a challenging topic requiring a lot more than just authentication.

It follows that most survey respondents acknowledge the gaps in their existing tools’ efficacy in stopping bad actors. A whopping 85% noting their tools are not very effective in stopping API attacks.

The importance of machine identity management to API security

The OWASP API Top 10 list identifies authentication and authorization attacks as the top two risks for API Security. Broken object-level authorization, user authentication and function-level authorization can be leveraged by attackers to gain access to sensitive information processed by the application and compromise the overall API security.

APIs need a verified identity using digital certificates and cryptographic keys. Once an API is verified, it can communicate securely with other APIs, establish trust relationships, and grant authorized access to networks and resources.

However, to ensure that these API identities are not compromised, organizations need an effective machine identity management program. Effectively managing the increasing number of machine identities associated to APIs helps organizations to keep track of all APIs and ensure that each one has appropriate access permissions.

The impact of poor machine identity management can become damaging:

  • Service outages caused by expired certificates
  • Breached SSH keys by SSH related malware
  • Broken customer trust
  • Lost revenue

An essential component of effective machine identity management for APIs is the ability to automate machine identities over multiple API gateways. API gateways use large numbers of machine identities—cryptographic keys and digital certificates—to establish trust and preserve privacy. But API gateways do not include machine identity management features that provide security teams’ insights into how machine identities are being used. Nor do they provide the automation necessary to eliminate time-consuming and error-prone TLS certificate lifecycle functions.

The Venafi way to API security

Organizations need a mix of tactics to protect APIs.  Authentication and authorization are just two important components of robust API security and should be leveraged together with controls such as API visibility and abnormal behavior intelligence to ensure that APIs are not manipulated by attackers. “Companies need to define and execute against an API security strategy that covers the full lifecycle of APIs and addresses cross-functional responsibilities,” suggests the Salt Security report.

Venafi Trust Protection Platform through its integration with various ecosystem partner integrations, simplify and automate API security through a comprehensive, layered machine identity solution that protects APIs and enables full visibility and control of machine-to-machine communications.

Related posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more