Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Few assets in the attack surface cause as much hassle as APIs. Not only are many organizations’ APIs openly exposed on the internet, but they’re also reliant on these APIs to access critical data assets and applications.
Many security teams are still trying to get to grips with the realization that APIs are just as susceptible to exploitation as weaknesses on servers or networks, and struggling to maintain up-to-date inventories of APIs and vulnerabilities in the environment.
New research released by API security provider Salt Security highlighted this trend by revealing that 94% of organizations responding to their survey experienced security issues in production APIs in the past year, with 20% stating their organization actually suffered a data breach as a result of API security gaps.
These security issues could be as serious as openly exposing protected data online. For instance, among Salt’s customer base, 91% of APIS were openly exposing PII and sensitive data to threat actors.
For enterprises, this research highlights that most organizations need to reevaluate their API security strategies to ensure they have the maturity to protect APIs throughout the entire development lifecycle.
Moving away from “shift left” security
Just a few years ago in 2019, Gartner released a set of strategic planning assumptions, predicting that by 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs, and that by 2022, API abuses will move from an infrequent to the most-frequent attack vector.
When considering that Salt Security’s new research found that API attack traffic has doubled in the past 12 months, these predictions appear to have come true.
At the same time, the uptick in API-focused attacks highlights that threat actors are well aware that enterprises aren’t adequately securing their APIs.
In short, the writing is on the wall for shift-left approaches to testing and security; organizations need much more proactive, continuous API vulnerability scanning and mitigation.
“If an organization is relying on shift-left capabilities alone, they put themselves at risk. At some level, customers seem to appreciate this difference. When asked which API security platform capabilities are highly important, stopping attacks came in at the top of the list, and shift-left practices was at the very bottom,” said marketing vice president at Salt Security, Michelle McLean.
“The finding makes sense given the need to get safe now vs. protect future assets, but companies need to follow their own advice and get more proactive about API security,” McLean said.
Getting to grips with the risk of API exploitation
McLean notes that the risk of API exploitation isn’t merely theoretical either, with 34% of Salt Security customers enduring more than 100 attempted attacks per month, and 60% of those surveyed managing over 100 APIs.
The only way for organizations to get to grips with this landscape is to have an advanced API security strategy, rather than relying on API gateways and web application firewalls (WAF) that provide little protection against these types of attacks.
In practice, an advanced API security strategy means deploying a solution that has the potential to manage hundreds or thousands of constantly changing APis from development to deployment and run-time while automatically updating a digital API inventory.
Salt Security works to fulfill this framework by using an API context engine (ACE) alongside machine learning and artificial intelligence to automate the discovery of APIs and automatically detect vulnerabilities in the attack surface.
The API security market
With awareness over the security issues created by insecure APIs, many organizations are turning to API security platforms like Salt Security to protect their environments. In fact, researchers expect the API management market will grow from a value of $4.5 billion in 2022 to $13.7 billion by 2027.
Over the past year or so, there’s been lots of investor interest in API security solutions. For example, Salt Security raised $140 million as part of a series D funding round at the start of this year, bringing the organization’s total valuation to $1.4 billion.
Noname Security’s platform enables organizations to create a real-time inventory of APIs, and can identify vulnerabilities and misconfigurations across the attack surface.
Other competitors include full-lifecycle API security platforms like Traceable AI, which continuously scan and discover APIs while providing context-based behavioral analytics to provide real-time protection against threats.
Traceable AI also raised $60 million and achieved a post-money valuation of $450 million in May of this year.
However, according to Yaniv Balmas, vice president of research at Salt Security, the level of context provided is what separates Salt Security from other competing solutions.
“Salt Security is the only platform on the market that applies cloud-scale big data to address API security challenges. Only Salt is able to capture and baseline all API traffic — all calls and responses — over days and weeks. It then applies its AI and ML algorithms, which have been in market more than four years, to provide real-time analysis and correlation across all those billions of API calls,” Balmas said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.