The use of APIs has mushroomed in recent years, playing a pivotal role in businesses’ digital transformation strategies as web applications become increasingly interconnected. In fact, recent research from ESG1 found that 96% of organizations have applications that depend on APIs and API usage is sure to continue to grow. And within two years, a significant 57% of organizations believe that most or all their applications will use APIs. 

With the increased usage of APIs comes another avenue for threat actors to target and businesses to protect against, underscoring the need for robust API security. In fact, 42% of chief information security officers (CISOs) identified APIs as the top IT component needing security. How has API use impacting security posture? What are the challenges security teams are facing and what trends need to be top of mind? Following are some of the top findings from Trends in Modern Application Protection that you need to know. 

The Challenge of Visibility

As the use and scale of APIs continues to increase across a business, so, too, does API visibility. More than one-third of respondents to the Trends in Modern Application Protection survey reported challenges with cataloging APIs while 32% cited problems both discovering and remediating API misconfigurations.  

Responsibility for API Security

The challenge of securing APIs is compounded by a lack of clarity on who within a business owns security for both APIs and web apps (42% of respondents). And for those organizations with API security tools in place, some are struggling with tool proliferation (35%) while others are employing tools not purpose built for API security (31%). 

API Vulnerabilities

Over the last 12 months, API injection attacks were experienced by 28% of study respondents, while 23% reported attacks stemming from API misconfigurations. Businesses also are grappling with how to keep pace with the latest API threats (41%) as well as issues related to data governance and/or data exposure issues due to insecure APIs (39%). Other challenges include accurately inventorying APIs used (37%), inconsistent adoption of API specifications (35%), and using multiple API management tools (35%). 

Consequences of Successful Attacks

And when there is a successful attack on APIs and public-facing web apps, the results often are significant to organizations including: 

  • 40% experiencing downtime as the result of an API or web app attack 
  • 34% having negative customer experiences 
  • 33% incurring cost infrastructure overruns 
  • 26% reporting lost revenue 
  • 26% having compliance issues 

Increased Spending on API Protection

To safeguard their APIs and web apps, nine out of 10 organizations plan to increase their investment in protection technologies, services, and personnel over the next 12 to 18 months. Where they’ll be spending those dollars, however, isn’t aligned. According to Trends in Modern Application Protection, the top drivers for this heightened security focus include: 

  • Maintaining application uptime/user experience (18%) 
  • Protecting consumer data (16%) 
  • Fulfilling data governance/compliance obligations (16%) 
  • Protecting corporate data (14%) 
  • Protecting brand standing and reputation (13%) 
  • Controlling infrastructure cost overruns (12%) 
  • Improving the bottom line (11%) 

As the use of APIs continues to grow, ensuring their security will be paramount. One of the most effective ways to bolster your organization’s security posture against countless threats to APIs and web apps is a managed web application firewall (WAF).  

Discover how Fortra Managed WAF provides both the API and web protection you need through a single, consolidated tool that is highly versatile, enterprise level, and cloud ready. 


  1. Trends in Modern Application Protection
Josh Davies
About the Author
Josh Davies
Josh Davies is the Principal Technical Product Marketing Manager at Alert Logic. Formerly a security analyst and solutions architect, Josh has extensive experience working with mid-market and enterprise organizations, conducting incident response and threat hunting activities as an analyst before working with businesses to identify appropriate security solutions for challenges across cloud, on-premises, and hybrid environments.

Related Post

Ready to protect your company with Alert Logic MDR?