99% of Organizations Report API-Related Security Issues

A growing reliance on APIs has fueled security concerns, with nearly all organizations (99%) reporting API-related security issues in the past year.

According to the Q1 2025 State of API Security Report by Salt Security, the rapid expansion of API ecosystems—driven by cloud migration, platform integration and data monetization—is outpacing security measures and exposing organizations to increased risk.

API Growth and Security Gaps

The report, published on Febrary 26, highlights significant API growth, with 30% of organizations experiencing a 51-100% increase in APIs over the past year and 25% reporting growth exceeding 100%.

This expansion has created challenges in maintaining accurate API inventories, as 58% of organizations monitor their APIs less than daily and lack confidence in inventory accuracy. Only 20% have achieved real-time monitoring, leaving most vulnerable to security threats.

Key API security challenges include:

• 37% of security issues stem from vulnerabilities such as misconfigurations and broken object-level authorization

• 34% involve sensitive data exposure

• 29% relate to authentication failures, highlighting weak access controls

“Organizations are facing the challenge of properly cataloging all their APIs so they can be placed into the proper security testing and awareness program,” said Thomas Richards, principal consultant at Black Duck. “The technology can improve workflows and benefit organizations, but we can’t forget the basics of cybersecurity to document, test, and verify best practices in order to innovate securely and manage software risk.”

Despite increasing investments, security gaps persist. Over half of organizations have boosted API security budgets, yet 30% cite limited funds as a key challenge.

Additionally, 22% struggle with personnel shortages and 10% lack proper security tools.

Many organizations (55%) have delayed application rollouts due to API security concerns, while 14% find their API programs difficult to manage.

“Because API attacks most often result from unauthorized or inappropriate access credential use, modern security requires access control that goes well beyond traditional perimeter-based identity access and authentication strategies,” explained Piyush Pandey, CEO at Pathlock. “Dynamic, agile access controls that start with compliant provisioning, continue with high-risk access monitoring and finish with critical application infrastructure health maintenance [are essential].”

Read more on API security trends and best practices: How to Address Shortcomings in API Security

Attack Trends and Emerging Risks

An analysis of API attack patterns reveals that 95% of attacks originate from authenticated users, underscoring the risk of compromised accounts. External-facing APIs remain a primary attack vector, with 98% of attack attempts targeting these interfaces. Among the most exploited vulnerabilities:

• Security misconfigurations (54%)

• Broken object-level authorization (27%)

• API authentication failures (1%)

Generative AI (GenAI) is also reshaping the security landscape, introducing new threats and concerns. One-third of respondents report a lack of confidence in detecting AI-driven attacks, while 31% worry about the security of AI-generated code. Organizations are responding by implementing governance frameworks (26%) and AI-specific security tools (37%).

Strengthening API Security

The report urges organizations to adopt a proactive security strategy, emphasizing real-time monitoring, robust posture governance, and adherence to frameworks such as the OWASP API Security Top Ten. Stronger API inventory management and investment in AI-driven security tools are also critical to mitigating emerging risks.

“The main driver of API adoption is the need for loose coupling between complex systems,” explains Jason Soroko, senior fellow at Sectigo. “APIs are abstraction layers that decouple underlying complexities, enabling rapid integration and development, which fuels digital transformation. [However], as organizations increasingly rely on APIs, the rapid expansion often outpaces security measures.”

To stay ahead, Soroko recommends that “cloud platforms and other purveyors of APIs need to offer security diagnostics to make it easier to rapidly deploy and maintain APIs with secure configurations.”

With API usage continuing to surge, organizations must prioritize security strategies that evolve alongside their expanding ecosystems to safeguard sensitive data and infrastructure against emerging threats.