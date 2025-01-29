API attack traffic rose by 681% over a 12-month period, far outpacing the 321% increase in overall API call volume – a dramatic surge that highlights threat actors’ growing focus on APIs as attack vectors.

This was one of the findings of Salt Security’s State of API Security Report.

According to the report, despite the well-documented risks, many organizations are still unprepared. A bit over half (58%) of businesses actively address vulnerabilities listed in the OWASP API Security Top 10 (a crucial industry benchmark)—a gap that leaves numerous entities exposed to attacks that exploit common weaknesses like broken authentication, data exposure, or misconfigurations.

High-Profile API Attacks Highlight Risks

Several high-profile cyber incidents have hit the headlines and revealed the devastating impact of API vulnerabilities.

The infamous SolarWinds supply chain attack leveraged APIs as a critical component of its intrusion, while the Microsoft Exchange Server breach exposed sensitive data through exploited API weaknesses.

More recently, nearly 13 million API secrets were inadvertently exposed through public GitHub repositories, leaving companies vulnerable to exploitation. Malefactors leveraged these leaked credentials to gain unauthorized access to sensitive systems.

Limited Adoption of API Security Best Practices

One of the most effective strategies for mitigating API risks is comprehensive API posture governance. This framework sees that security is embedded throughout the full API lifecycle—from development and deployment to ongoing monitoring and threat detection.

However, a previous report by Salt revealed that only 10% of organizations have implemented such a strategy, leaving a vast majority open to attack.

Convenience Over Security

This vulnerability shows a growing and recurring issue in API security—convenience often takes priority over security, says Akhil Mittal, Senior Manager at Black Duck. “Travel platforms are built to provide seamless user experiences, but that ease of use can create blind spots. Here, attackers didn’t use sophisticated techniques; they exploited weak validation processes and a failure to manage trust between integrated systems.”

What stands out for Mittal is the lack of granular access controls and proper token validation. “These are basics in API security, but they’re often overlooked in favor of faster integrations or simpler designs. Organizations need to step back and ask: Are we truly enforcing strong authentication at every step? Are we watching for unusual behaviors, like spikes in link activity or unexpected account access? And are we taking the time to understand the risks our third-party partners might bring into the mix?”

This isn’t just about fixing a technical issue or patching vulnerabilities, Mittal stresses. “When systems are interconnected, the risks don’t just add up; they multiply. One flaw in an API can quickly spread, putting millions of users at risk. That’s why APIs need smarter security, like dynamic trust validation, validate behavior, and detect anomalies in real-time to prevent exploitation.”

Open Redirects have been a known weakness for over a decade and are relatively easy to address, says John Bambenek, President at Bambenek Consulting. “This shows that there is a degree of complacency in this industry, thinking that the sensitivity of the information is low. While perhaps that was true when these systems were created, with the proliferation of award points that have actual value, it’s time to ensure the basics of web security are put in place.”

Expertise, Planning, and Time

Securing APIs becomes more and more challenging when integrating with third-party services, adds Ray Kelly, Fellow at Black Duck. “Managing the sharing of authentication tokens, navigating complex chained API flows, and enforcing proper authorization on API calls can be daunting, particularly for large organizations.”

Kelly believes that strengthening the software supply chain in these ecosystems will take expertise, thorough planning, and time to address vulnerabilities effectively to help mitigate risks before deploying to production. “As a general rule, users should avoid clicking links in unsolicited SMS or email messages, as doing so can lead to account theft, as demonstrated in this scenario.”

The Way Forward

As businesses depend more and more on APIs, security needs to move to the top of the priority list. Robust threat detection, regular API audits, and adopting zero-trust principles can all help mitigate risks. With API attacks expected to rise further, organizations that fail to act could find themselves at the center of the next major breach.

For businesses looking to secure their API ecosystems, the message is clear: proactive measures are no longer optional—they are essential.

