Today, cybersecurity provider Radware released the 2022 State of API Security report, a study that gathers input from security leaders from global organizations across North America, EMEA, and APAC, which found that enterprises have a false sense of security with regard to their API security posture. 

One of the most alarming findings of the study was that there is a gap between the level of API documentation and the level of protection that orgs believe they have. 

For instance, while 92% of those surveyed beleive they have adequate protection for their APIs, 62% admit a third or more APIs are undocumented. 

This indicates that most organizations are in denial about their true API security posture, choosing to overlook the lack of transparency over a significant number of undocumented APIs. 

The need for API security 

With more organizations operating in the cloud than ever before, API security is now critical for preventing data breaches and keeping malicious threat actors at bay. However, most organizations are failing to make the strategic adjustments needed to secure their APIs. 

Even prominent companies like Parler, Peloton, and even LinkedIn have fallen victim to high-profile API-driven attacks perpetrated by cybercriminals that know APIs are a commonly neglected entry point to enterprise environments.  

When considering that API traffic grew 321% last year and API attack traffic increased by 681%, enterprises need to be prepared to mitigate API-level threats if they want to protect their data. 

Getting to grips with securing APIs 

The key to addressing these threats is for security teams to thoroughly document and discover APIs, as overlooking them can provide an attacker with everything they need to break into the environment. 

“For many companies, there is unequivocally a false sense of security that they are adequately protected from cyberattacks. In reality, they have significant gaps in the protection around unknown and undocumented APIs,” said chief operations officer and head of research and development at Radware, Gabi Malka in the official announcement. 

“API security is not a ‘trend’ that is going away. APIs are a fundamental component to most of the current technologies and security must be a priority for every organization,” Malka said. 

Malka warns that organizations often make the mistake of believing their API protection posture is better than it is because they make false assumptions, like believing API gateways and traditional WAFs protect their environment, instead of onboarding dedicated API protection solutions with bot protection capabilities. 

A look at the API security market 

Of course many providers are recognizing the menace posed by API-driven threats, and are actively developing their own solutions to address these new threats.

One of the key players in this market is Salt Security with the Salt API Protection platform that discovers APIs and exposed datam, creating an inventory of APIs for security teams to monitor. 

Earlier this year, Salt Security announced it had raised $140 million in funding as part of a Series D funding round. 

Another API security competitor is Wallarm, which offers an API-security platform designed to protect APIs in cloud-native environments, securing them against the API OWASP Top 10, offering bot mitigation, and automated API security testing. Wallarm most recently announced raising $8 million as part of a Series A funding round in 2018. 

As the market gets further developed, enterprises will be able to distinguish between these tools much like traditional vulnerability scanning tools; based on how effective they are at scanning and identifying vulnerabilities in exposed APIs.