Findings highlight that nearly half (43%) of organizations plan to implement API posture governance strategy to combat rising risks
PALO ALTO, Calif. – Salt Security, the leading API security company, today released the Salt Labs State of API Security Report Q1 2025, based on a combination of survey responses from more than 200 IT and security professionals, and anonymized empirical data from Salt Security customers. The research highlights the ongoing API security challenges and threats impacting organizations, and illustrates the need for stronger API governance to mitigate such complexities.
The latest edition of the report found that nearly all respondents (99%) encountered API security issues within the past 12 months and more than half (55%) slowed the rollout of a new application due to API security concerns. Analysis of the most frequently reported security challenges in production APIs revealed that vulnerabilities, exposing APIs to exploits such as injection attacks and Broken Object-Level Authorization (BOLA), accounted for more than one-third of issues (37%), closely followed by sensitive data exposure (34%) and API authentication weaknesses (29%).
Generative AI (GenAI) has also advanced API security challenges, with 47% of respondents expressing concerns about securing AI-generated code and 40% citing potential vulnerabilities introduced by AI-generated code as a top risk. Only 11% of respondents do not perceive the use of GenAI applications as a growing security concern within their organization.
Salt Labs analysis of customer API traffic also revealed that 95% of API attacks over the past 12 months originated from authenticated sources. This signals that traditional API security methods that rely heavily on authentication as a primary defense are no longer sufficient. In addition, 98% of attack attempts targeted external-facing APIs, reinforcing that public APIs are the primary attack vector for malicious actors.
API posture governance strategies are essential for protecting against rampant API attacks, whereby organizations establish and deploy consistent security standards and frameworks across their entire API ecosystem to proactively remediate security gaps and eliminate blind spots. Similar to last year’s report, only 10% of organizations currently have an API posture governance strategy in place. However, 43% plan to implement such a strategy within the next 12 months, recognizing the importance of posture governance for securing APIs.
“In a digital-first society, whereby APIs enable innovation and seamless interconnectivity, the pace at which organizations are deploying APIs has increased exponentially,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The insights provided by survey respondents and the data from Salt’s customer base, highlights how bad actors continue to exploit APIs through known security weaknesses and leverage legitimate means to remain undetected. This underscores the necessity of implementing a robust, proactive API security strategy – a strategy that should not only encompass timely threat detection and incident responses but also API governance. By implementing frameworks that ensure security policies are clearly defined, continuously enforced, and regularly assessed, organizations can mitigate API risks before they can be exploited.”
Additional key findings from the 2025 State of API Security Report include:
API security maturity remains low despite increasing budgets
- According to survey respondents, 69% of organizations increased their API security budgets by more than 5%.
- However, overall maturity of API security strategies remains low. 59% of respondents are still in the planning or basic stages, and only 6% reported advanced API security security programs.
- Budget constraints (30%), resource limitations (22%), and inadequate tooling (10%) continue to hinder progress.
Most attacks correlate back to OWASP API Security Top 10
When examining attack techniques within customer environments, Salt Labs researchers uncovered that 80% of attack attempts align with the threats outlined in OWASP API Security Top 10 list.
- Salt Labs researchers observed that 54% of attacks observed related to security misconfigurations (API8).
- Broken object-level authorization (API1) accounted for 27% of attacks.
- In contrast, vulnerabilities such as broken user authentication (API2) and security monitoring and logging failures (API7) only relate to 1% of attacks.
Organizations are managing more APIs than ever
The surge in API adoption, fueled by the need for organizations to modernize infrastructures, and unlock new revenue streams, is contributing to the rise in API security risk.
- Nearly one-third (30%) of organizations reported a 51-100% growth in the number of APIs they manage over the past year, while one-quarter of organizations experienced growth exceeding 100%.
- According to the data, 43% of organizations now manage up to 100 APIs, while 34% oversee between 101 and 500 APIs daily.
GenAI risk mitigation strategies encompass developer training and purpose-built AI security solutions
To address GenAI risks, organizations are implementing a variety of mitigation strategies.
- 56% of survey respondents are prioritizing developer training for the unique security challenges of AI-generated code.
- Specialized AI security tools have also been deployed by 37% to address the unique vulnerabilities introduced by AI-driven processes.
- 40% are deploying code reviews and security testing to ensure AI-generated code and APIs meet quality and security standards.
Organizations measure API security success by analyzing compliance posture and cost savings
Measuring return on investment (ROI) for API security is essential for aligning security initiatives with organizational goals and demonstrating value to stakeholders.
- More than a third of organizations (37%) evaluate improvements to compliance posture for evaluating API security effectiveness.
- 25% of organizations measure ROI through cost savings achieved by preventing security breaches.
- 16% of respondents measure reductions in API-related security incidents to measure program success.
Maintaining accurate API inventories remains challenging
The findings reveal critical gaps in API monitoring and inventory management
- Alarmingly, a mere 15% expressed strong confidence in the accuracy of their API inventories while 34% admitted they lack visibility into sensitive data exposure through APIs
- In addition, only 20% of respondents have measures in place to continuously monitor APIs.
The Salt Labs State of API Security Report Q1 2025, was compiled by researchers from Salt Labs, the research division of Salt Security, utilizing survey data from 206 respondents tasked with managing APIs in their organizations. Respondents provided detailed data on API development trends, security challenges, monitoring practices, and the adoption of frameworks and tools to address API vulnerabilities.
To download a copy of the full report, please visit: https://content.salt.security/state-api-report.html
A comprehensive blog exploring the findings also be found here: https://salt.security/blog/navigating-the-api-security-landscape-progress-and-persistent-challenges-in-2025
