The Salt Security’s latest State of API Security Report for Q1 2025 has shed light on the persisting challenges that companies face in safeguarding their application programming interfaces (APIs). This report, based on inputs from more than 200 IT and security professionals, as well as anonymized data from Salt Security’s clientele, offers a comprehensive analysis of the current API security landscape.
According to the findings, API security continues to be a major area of concern, with a staggering 99% of survey participants reporting encountering security issues over the past year. Moreover, over half (55%) of the organizations have had to delay their application launches due to worries about API security. The analysis of prevalent security issues in operational APIs identified vulnerabilities like injection attacks and Broken Object-Level Authorization (BOLA) as the primary concern, accounting for 37% of the issues, followed by sensitive data exposure (34%) and authentication weaknesses (29%).
The escalation in the use of generative AI (GenAI) has further complicated these challenges. Nearly half (47%) of the respondents expressed apprehensions about securing AI-generated code, while 40% highlighted the potential vulnerabilities introduced by such code as a significant risk. Interestingly, only 11% of respondents downplayed the growing security concerns associated with GenAI applications within their organizations.
Salt Labs’ examination of customer API traffic patterns revealed that a vast majority (95%) of API attacks originated from authenticated sources, indicating that the conventional authentication-centric security measures are no longer adequate. Additionally, a staggering 98% of attack attempts were aimed at external-facing APIs, underscoring the fact that publicly accessible APIs remain the primary targets for malicious actors.
The report underscores the criticality of API posture governance strategies, which entail establishing and enforcing consistent security standards throughout an organization’s API ecosystem. However, only a mere 10% of organizations currently have such a strategy in place. Encouragingly, 43% have plans to implement one within the next year, signaling a growing realization of the importance of proactive security measures.
Despite a significant 69% of organizations boosting their API security budgets by over 5%, the overall maturity of API security strategies remains relatively low. A considerable 59% of respondents are still in the planning or basic stages, with only 6% reporting advanced programs. Limited budgets, resource constraints, and inadequate tooling were identified as primary hurdles to progress.
An analysis of attack techniques showcased that a whopping 80% of attack attempts align with the OWASP API Security Top 10 list. Specifically, security misconfigurations (54%) and broken object-level authorization (27%) stood out as the most prevalent attack vectors.
Moreover, the report spotlighted the meteoric rise in API adoption, with 30% of organizations witnessing a 51-100% increase in the number of APIs managed over the past year, and 25% experiencing growth exceeding 100%. Currently, 43% of organizations handle up to 100 APIs, while 34% oversee between 101 and 500 APIs daily.
To address the risks associated with GenAI, organizations are rolling out various strategies, including developer training (56%), specialized AI security tools (37%), and code reviews coupled with security testing (40%).
Effectively measuring the return on investment (ROI) of API security is deemed crucial for aligning security initiatives with organizational objectives. While 37% of organizations assess improvements in compliance posture, 25% gauge cost savings from breach prevention, and 16% monitor reductions in API-related security incidents.
Lastly, the report brought to light substantial gaps in API monitoring and inventory management. Merely 15% of respondents expressed strong confidence in the accuracy of their API inventories, while 34% acknowledged a lack of visibility into sensitive data exposure via APIs. Alarmingly, only 20% have mechanisms in place for continuous API monitoring.