#United States #Palo Alto #API Security #Salt Security #GenAI Risks

Examining the Alarming State of API Security in 2025

In today's rapidly evolving digital landscape, APIs (Application Programming Interfaces) serve as the backbone for countless applications, enabling seamless data interactions across platforms. However, the latest Salt Labs State of API Security Report Q1 2025 has uncovered a worrying trend: an overwhelming 99% of surveyed organizations reported facing API security issues in the last year. This significant finding highlights the urgent need for businesses to re-evaluate their API security strategies.

Increasing Concerns and Security Risks

The report, which draws upon insights from over 200 IT and security professionals, illustrates a landscape riddled with vulnerabilities. According to the findings, more than half of respondents—55%—admitted to slowing the introduction of new applications due to API security concerns. Key issues identified include vulnerabilities that expose APIs to various threats, such as injection attacks; over one-third (37%) of respondents indicated that this was the most pressing challenge. Additionally, sensitive data exposure was reported by 34% and API authentication weaknesses by 29%.

The introduction of Generative AI (GenAI) also compounds these challenges. Almost half of the respondents (47%) expressed anxieties about securing AI-generated code, with 40% identifying vulnerabilities from such code as a major risk. Surprisingly, only 11% of organizations did not view GenAI applications as a mounting security issue.

Moreover, a staggering 95% of API attacks reported came from authenticated sources, underlining that traditional methods focused on authentication alone are insufficient for robust security. This trend suggests that bad actors are utilizing legitimate methods to bypass defenses, targeting external-facing APIs, which accounted for 98% of attack attempts.

The Rising Necessity for API Governance

In response to the escalating risks, implementing an effective API posture governance strategy is no longer optional but essential. This framework facilitates the establishment of security standards across the API ecosystem, driving proactive remediation of security gaps. Alarmingly, only 10% of organizations had such governance strategies in place as of 2025, although 43% plan to adopt these measures within the year.

Roey Eliyahu, CEO and co-founder of Salt Security, emphasizes the critical need for organizations to fortify their defenses: "In a digital-first society, as the deployment of APIs accelerates, it becomes paramount to ensure that robust security measures are in place—this involves meticulously defining, enforcing, and regularly assessing security policies to prevent exploitation of vulnerabilities."

Additional Insights into API Security Budgets and Practices

Interestingly, the report reveals that while 69% of organizations boosted their API security budgets by over 5%, many still find their API security maturity lacking. A staggering 59% of surveyed companies are operating at either planning or basic stages of API security, and only 6% reported having advanced security programs. Budget constraints, limited resources, and inadequate tooling emerged as significant barriers.

Most reported attacks were found to correlate with the challenges outlined in the OWASP API Security Top 10, with security misconfigurations (54%) and broken object-level authorization (27%) being the most common threat techniques observed. Moreover, the expansion of API use has led to an increase in security risks, as nearly one-third of organizations have seen their API count grow by 51-100% in the past year.

Addressing GenAI Risks Through Training and Tools

As organizations grapple with the unique security challenges posed by AI, many are adopting various strategies. Training developers to understand the distinct risks of AI-generated code has become a priority for 56% of respondents. Additionally, 37% are leveraging specialized AI security tools to manage vulnerabilities introduced by AI-driven processes.

Evaluating API Security Effectiveness

To measure the returns on their API security investments, organizations are focusing on compliance improvements (37%), cost savings from preventing breaches (25%), and reductions in security incidents (16%). However, the report highlights a significant lack of confidence in maintaining accurate API inventories, with only 15% expressing strong confidence in their inventories' accuracy, revealing important gaps in monitoring practices.

In summary, the Salt Labs State of API Security Report stresses the critical need for companies to adopt comprehensive API governance strategies to address the multifaceted security challenges they face. With the overwhelming majority of organizations experiencing API security issues, the urgency for effective solutions has never been greater. Companies must act quickly to bolster their security frameworks and ensure that their API ecosystems are fortified against emerging threats. More detailed insights and recommendations can be accessed in the full report here.