Companies rely on tens of thousands of APIs. For the enterprises participating in this study, the average number of APIs in use is 15,564. Large enterprises, those with more than 10,000 employees, have an even greater dependency, with an average of 25,592 APIs in place.
Many API security incidents will go undisclosed unless a data breach occurs requiring consumer notifications, or there is a coordinated disclosure of API security vulnerabilities with a security researcher. Practitioners were asked whether their organizations had experienced a security incident related to an API in the past year.
41% of organizations had an API security incident in the last 12 months.
63% of those noted that the incident involved a data breach or data loss.
Respondents’ top-cited API security problems in the past 12 months include poor API logging practices (39%); problems in API authentication, including lack of authentication in APIs that should require it (37%); and API misconfigurations (36%).
Just over a third (35%) of survey respondents said projects were specifically delayed due to API security concerns. 87% of those believe more effective integration of API security testing (AST) into developer pipeline activities could have prevented those delays.