A majority of organizations say they’ve experienced an API security incident in the past year, and these attacks are expected to grow significantly over the next five years, according to a recent survey.
Developers typically share in the responsibility for stopping these incidents, according to the “API Security Perspectives 2025″ report released in December by API solution provider Kong. The survey queried 700 IT and business leaders in the United States and the U.K.
API Security Incidents Predicted to Increase
Of those surveyed, 55% reported an API security incident in 2024.
While the survey did not delve into the exact nature of these incidents, typically organizations face threats due to unauthorized access, unpatched vulnerabilities or DDoS attacks, all of which require immediate action, said Christopher Whaley, an economist and independent consultant who works with Kong on its research reports.
“Identifying a vulnerability can also qualify as a security incident, as it represents a weakness needing prompt preventative action,” Whaley told The New Stack. “Such cases are tracked, documented and resolved to support compliance and proactive risk management.”
The situation is unlikely to get better without diligence by organizations. Kong predicts there will be a 548% increase in API attacks by 2030. That’s an estimate from its “2024 API Impact Report,” which used statistical modeling to reach that number.
“The results reflect that the tools and techniques used by bad actors are becoming increasingly sophisticated and attacks are occurring with greater frequency,” Whaley said. “Moreover, the analysis factored in expected inflation-adjusted economic growth in the API sector and the rising costs of security breaches, including both direct and indirect impacts.”
Developers Share Responsibility for APIs
Developers and security teams typically share responsibility for ensuring APIs are secure.
“While the security team is ultimately responsible for the overall security posture of an organization, developers play a key role in building and managing secure APIs,” Whaley said. “They need to write secure code and implement security measures during the development phase, such as input validation, authentication, encryption and access control.”
The security team defines and enforces security policies, he said. They’re also responsible for establishing governance frameworks and managing tools to monitor, detect and respond to threats.
Whaley said a good governance framework includes the following components:
- Federated API management, which allows for decentralized development with centralized governance, promoting agility without compromising security;
- Role-based access control (RBAC), which provides developers with tailored access to services, enforcing fine-grained governance from the onboarding process ensuring that only authorized personnel can access and modify API configurations;
- Standardized policy enforcement, which can define, apply and enforce governance policies programmatically and consistently across gateways, ingress controllers and service meshes. This reduces the risk of human error and ensures uniform security measures across all services.
- A centralized audit platform. Using a single platform for managing APIs, delivering change tracking and monitoring across the entire API landscape enhances transparency and accountability, facilitating easier compliance with internal policies and external regulations.
Developers’ Role in Securing APIs
There are steps developers can take to improve API security before an incident, Whaley said. Specifically, he recommended:
- Adding “robust mechanisms” for verifying identities and control access to ensure only authorized users and applications interact with APIs.
- Enforcing encryption, specifically HTTPS and TLS encryptions, which protect against eavesdropping — a cyber attack where a malicious actor intercepts and listens to data being transmitted between applications through an API — and data breaches.
- Using rate limiting and throttling, which guard against denial-of-service attacks and ensure APIs are used within expected limit;
- Implementing a zero trust architecture to ensure that all interactions are continuously verified regardless of origin.
- Continuously monitor API traffic for suspicious activity and maintaining detailed logs for auditing and incident response; and
- Leveraging an API gateway to provide visibility into API usage for compliance and troubleshooting. (Disclosure: Kong sells an API gateway.)
The Costs of API Incidents
When API security measures fail and there is a problem, API breaches are not necessarily incidental when it comes to payout. Twenty percent said mediation costs exceeded $500,000 in the past 12 months and that figure is a per-incident estimate, Whaley clarified, although he added that $500,000 is the high end of the spectrum.
These cost estimates tend to encompass both tangible expenses such as reputational damage and customer trust erosion, he said.
“Actual costs can vary significantly based on factors such as the nature of the incident, the organization’s preparedness and the effectiveness of its response strategies,” he said. “Investing in proactive security measures, such as implementing AI and automation, can substantially reduce these costs.”
Developers’ Role in Remediating an API Incident
Developers play also play an important role in remediating API security problems, he said. Their job is to implement fixes and ensure that vulnerabilities are properly addressed.
Remediating an incident can include fixing vulnerabilities, deploying patches and addressing any misconfigurations. But it can also sometimes mean hiring external help in the form of security consultants, investing in new security tools and covering any legal and compliance fees, he said.
“Additionally, there are intangible factors to consider, like damage to brand reputation and loss of customer confidence, which can have a big impact even if they are harder to quantify,” Whaley added.
U.S. Lags U.K. in API Gateway Deployment
It’s worth noting that the report found API gateways, which can help prevent API attacks, are used less in the United States than the U.K. Only 50% of U.S. companies reported using an API gateway, compared to 71% in the U.K.
“The U.K. does have more stringent data protection and privacy regulations as we’ve seen with GDPR,” Whaley said. “Investing in an API gateway can make complying with those regulations significantly easier. It is likely that is where the discrepancy comes from.”
But, he said, the responses from both the U.S. and U.K. suggest more organizations are starting to understand the role an API gateway can play in API security. API gateways can even help stop AI-driven attacks, which could emerge as a factor in increasing API attacks.
“An API gateway provides a centralized control point for managing, monitoring and securing API traffic,” Whaley said. “It provides developers with the security tactics such as anomaly detection, rate limiting, authentication, encryption and real-time monitoring that are needed to identify and mitigate AI-driven attacks. “
The post Developers Are Key to Stopping Rising API Security Threat appeared first on The New Stack.