Many customer-facing APIs remain unprotected, leaving businesses vulnerable to breaches. To address these threats, a comprehensive approach to API security, covering every stage of the lifecycle, is essential to protect sensitive data and prevent exploitation.

In this article, you will find key insights from surveys on API security trends and challenges conducted in 2024.

The average organization now manages 421 different APIs, with most hosted in public cloud environments. Despite this growth, a significant number of APIs—particularly those that are customer-facing—remain unprotected. 80% of organizations begin API security in the API design phase. In addition, 59% say they incorporate security at every stage of the API lifecycle.

Nightfall AI’s research revealed that secrets like passwords and API keys were most often found in GitHub, with nearly 350 total secrets exposed per 100 employees every year.

When asked how they plan to defend against these threats to secure AI implementations (or are already doing so), respondents are focused on app services such as API security, monitoring, and DDoS and bot protection. 42% state they are using or planning on using API security solutions to safeguard data as it traverses AI training models.

The proliferation of APIs has led companies to embrace new methods to manage and secure their growing networks. 95% have now implemented API gateways to provide authentication, validate requests, and rate limit traffic. While 43% have automated their security infrastructure for both apps and APIs.

The lack of action on API breaches comes despite the vast majority of decision-makers knowing there is a problem. 95% of respondents surveyed by Fastly said they had experienced API security problems in the last twelve months. 79% had delayed the rollout or integration of a new application due to API security concerns.

A total of 29% of web attacks targeted APIs over 12 months (January through December 2023), indicating that APIs are a focus area for cybercriminals. Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%.

Organizations struggle to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects with the software program) were discovered through machine learning versus customer-provided identifiers – e.g., organizations lack a full inventory of their APIs.