APIs are quickly becoming the glue that holds modern app development and business operations together, allowing multiple different systems to share data and communicate, which make crucial to organizations and attractive targets to bad actors.

However, even as the use of APIs has grown substantially – exposing more data and functionality through them – few organizations have the security in place to protect them, according to a report this week by Raidiam, a London-based company that builds secure data-sharing systems, with a particular focus on financial services firms.

In the study, “Helping Enterprises Recognize and Address Critical Risks,” a survey of 68 companies – which didn’t include organizations that are in highly regulated industries and are required to have hardened security systems in place – found that 84% of them had API defenses in place that were far below what they need, given the sensitivity of the data they exposed.

Another 15% had some security measures in place, though still insufficient for what they need. Only one organization – about 1.5% of those surveyed – had the API security they required given the sensitivity of the APIs.

“Nearly the entire sample showed some degree of misalignment, with an overwhelming skew toward serious under-protection,” the researchers wrote in the 12-page report. “The trend is clear: most organizations are behind the curve on API security hardening, even as their reliance on APIs has grown.”

API Use and Threats Grow

Use of APIs is expected to increase rapidly in the coming years, with AI helping to drive the growth. According to Research and Markets, the global AI API market is forecast to jump from $44.41 billion this year to $179.14 billion by 2030, due in large part by the demand for AI and its capabilities for creating dynamic content, automating workflows, and enhancing personalization in a range of industries, such as health care and life sciences, according to the analysts.

These APIs can hold wide range of sensitive data, from personally identifiable information and financial data to authentication credentials, proprietary corporate data, and location and demographic information. That makes them prime targets for threat actors.

Salt Security researchers wrote in a report in February that 99% of more than 200 IT and security pros surveyed said their organizations were hit with API security issues within the previous 12 months, with 55% saying such problems slowed the planned rollouts of applications.

This comes as the number of APIs companies manage is increasing, with 30% seeing a 51% to 100% growth in that number over the previous year and a quarter saying the growth exceeded 100%. About 43% of organizations manage up to 100 APIs, with 34% putting the number between 101 and 500.

There’s a desire to boost API security, according to Salt researchers, with 69% of organizations increasing their budgets by more than 5%. However, maturity is low – 59% are still in the planning stages – and issues like budget constraints, resource limitations, and inadequate tools slowing progress.

Weak Controls, Inconsistent Oversight

The results of Salt Security’s survey echo what Raidiam found, with issues like authentication and authorization controls being too weak and lacking fine-grained control and security oversight being inconsistent.

“This combination of high incident prevalence and inadequate controls creates an urgent call to action,” they wrote. “If left unaddressed, the gaps identified will continue to be exploited by attackers, putting sensitive data and business operations at risk.”

They survey found that 85% of companies that responded handle payment data or special categories of personal data, but only one had in place the necessary cryptographic API protections. In addition, 57 of the 68 firms surveyed – about 84% – use bare API keys or basic OAuth credentials, which researchers said are weak and outdated.

In addition, fewer than half run regular penetration testing or runtime anomaly monitoring of APIs.

The fact that 84% of the companies surveyed had woefully insufficient API protections indicated that they “are exposing customer data or transaction capabilities via APIs that an attacker could potentially exploit with only modest effort. Common shortcomings include the continued use of static API keys or long-lived secrets, a lack of encryption at the connection or payload level beyond basic TLS, and missing enforcement of per-client access controls.”

Modernizing API Security

That said, Raidiam outlined a number of established approaches for modernizing API security and reducing the threat from hackers, with a common pattern being the use of strong cryptographic identity and authentication tools – based on Public Key Infrastructure, or KPI – that can replace or support traditional secrets.

That includes mutual TLS (mTLS), a method in which a client must present a valid X.509 certificate to authenticate to the server, with the server presenting its certificate, all leveraging PKI. They also noted extensions for OAuth 2.0 frameworks that pull together OAuth with PKI for stronger security.

“Beyond authentication of clients, client authorization and token scope should be tightly managed,” they wrote. “OAuth 2.0 allows fine-grained scopes and consent, which should be used to enforce least privilege – an API client should only get access to the specific data/actions it needs, nothing more.”

Short-lived tokens with continuous re-validation, running al API traffic over TLS encryption, HTTP message signatures and webhooks, and zero trust architectures.