IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

90% of businesses experienced API security vulnerabilities in 2020

Report finds that more than a quarter of organizations haven't yet launched an API security strategy

Nine in ten organizations suffered a security incident with their application programming interfaces (APIs) last year, according to a report from security company Salt Security.

An API is a tool that software uses to field queries over the internet, including other cloud-based and mobile apps. They can also make browser-based applications more responsive and fluid. APIs are becoming increasingly popular, with Akamai stating that API queries comprise 83% of web traffic.

However, poorly crafted APIs can be a security risk, allowing people to query information they shouldn't. Examples in the past include a flaw an ethical hacker discovered in a GitLab API that could have exposed private group information. In 2018, an API bug at Google exposed 52.5 million private users’ data, and another at the US Postal Service made near real-time data on 60 million users public.

The report's findings don't mean 90% of people have experienced breaches via APIs. The incidents it described range from the discovery of vulnerabilities (54% of companies found those in production systems) to authentication problems (46%). However, the number of attacks on APIs was still a concern.

One in five companies experienced bot scrapers, and almost the same proportion experienced denial of service attacks via their APIs. Account misuse via APIs plagued 14% of respondents, while 9% saw an API-based data breach.

Related Resource

IBM Maximo 8.0: Moving to an integrated suite of applications

A report on the business benefits of the new Maximo solution

What are the benefits of Maximo 8.0 - integrated suite of applications - whitepaper from IBMDownload now

The respondents surveyed across all company sizes and various sectors revealed a lack of knowledge and strategy around API security. Of those surveyed, 5% had no API security strategy, and 22% were in the planning stages for API security. It's no surprise, then, that 83% of them lacked confidence in the APIs they were using, and 8% had no confidence at all. Companies had not documented their APIs properly because their tools relied on human interaction.

API blindness is a problem when it comes to version control. Outdated ”zombie” APIs that should have been retired long ago are often left exposed. According to Salt, there were anywhere from 40% to 800% more APIs in its clients' infrastructures than employees had documented.

This lack of visibility makes APIs a critical attack point. Salt's software found that 91% of its clients' APIs exposed personal or otherwise sensitive data.

Companies are aware of these security issues and see them as a significant risk and, according to the report, these concerns have delayed 66% of API deployments. There is too much of a focus on pre-production API threat-hunting, it warned, adding that too many people rely on developers and DevOps teams to catch API security issues. Companies must increase collaboration between their security and development teams, it warned.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022