Book a Meeting
Decorative Image

The Expanding API Attack Surface: Key Insights from the 2025 Salt Security Report

Executive summary

The 2025 Salt Security State of API Security Report reveals that while API adoption continues to accelerate, most organizations struggle to secure their expanding ecosystems. Key issues include limited real-time monitoring, widespread misconfigurations, poor runtime protection, and emerging risks from generative AI. Despite increased investment, only a small fraction of organizations have mature API security programs, and many remain vulnerable due to outdated strategies and ineffective tooling.

This blog highlights the report’s most critical findings and outlines strategic actions needed to address modern API threats—emphasizing the importance of posture governance, continuous monitoring, behavioral analysis, and AI-aware security practices. It concludes by introducing Codesealer’s client-side protection model, which closes core visibility and exposure gaps by dynamically encrypting API traffic and concealing application logic—making APIs inherently resistant to discovery, abuse, and exploitation.

APIs are now the backbone of modern digital infrastructure—driving cloud adoption, enabling platform integration, and serving as core components in customer-facing applications. Yet, as revealed in the 2025 Salt Security State of API Security Report, the pace of API proliferation has significantly outstripped the maturity of most organizations’ security practices.

This blog distills the report’s critical findings and outlines the necessary steps for addressing today’s API security challenges.

API Growth Is Outpacing Security Measures

According to the report, over 50% of organizations experienced more than 50% growth in their API footprint over the past year, with 25% seeing API volumes double. However, only 20% of organizations monitor their APIs in real time. This lag creates substantial risk, particularly as 98% of attack attempts target external-facing APIs, and 95% originate from authenticated users—undermining traditional perimeter-based or authentication-centric defenses.

Known Vulnerabilities Remain the Primary Exploit Path

80% of attacks align with the OWASP API Security Top 10, with Security Misconfiguration (API8) and Broken Object-Level Authorization (API1) being the most exploited. These findings indicate that attackers continue to exploit well-documented flaws because basic misconfigurations and inadequate authorization controls persist across environments.

Runtime Security and Governance Are Lacking

The report highlights that only 6% of organizations have mature API security programs in place. Meanwhile, 26% of organizations are unable to detect runtime security gaps, and 30% cite budget limitations as the primary barrier to an effective API security strategy. Furthermore, only 10% currently implement posture governance strategies—a critical component for enforcing security policies and ensuring consistent API behavior across development and production.

Generative AI Introduces New Security Challenges

41% of respondents identified Generative AI as a growing concern. Organizations expressed low confidence in their ability to detect AI-driven attacks or secure AI-generated code. The lack of rigorous validation for AI outputs introduces new vulnerabilities into the development lifecycle. Without targeted mitigation strategies, such as governance frameworks, developer training, and AI-aware security tooling, these risks will continue to increase.

Misalignment Between Investment and Impact

Despite a majority of organizations increasing their API security budgets, only 17% rate their tools as “very effective” at preventing API attacks. Tooling gaps, immature strategies, and limited runtime observability continue to undermine security investments.

Strategic Recommendations

Based on the findings, the following areas require immediate attention:

  1. Adopt Real-Time Monitoring and Runtime Protection
    Continuous API traffic inspection is critical for detecting active threats and minimizing dwell time.
  2. Implement API Posture Governance
    Enforce security policies such as access control, rate limiting, and data exposure constraints at scale.
  3. Strengthen Authorization and Behavioral Analysis
    With most attacks coming from authenticated sources, behavioral monitoring and anomaly detection are essential to augment static policy enforcement.
  4. Secure AI-Generated Code
    Introduce structured review processes, enforce secure coding guidelines for AI-assisted development, and integrate AI-specific security tools.
  5. Align Security Investments with Operational Gaps
    Prioritize investments in effective runtime detection, inventory automation, and comprehensive testing frameworks rather than relying solely on pre-production controls.

How Codesealer Closes the API Security Gap

Codesealer provides a fundamentally different approach to API protection by shifting security enforcement to the client side and obfuscating the entire application interaction surface. This eliminates the visibility attackers need during reconnaissance, preventing many attacks before they begin.

Specifically, Codesealer protects APIs by:

  • Wrapping API traffic in end-to-end dynamic encryption, shielding both payloads and metadata from tampering, replay, and interception—even beyond TLS.
  • Hiding internal API structures, parameters, and endpoints by encrypting the entire browser-to-server communication logic, effectively blocking automated enumeration and scraping.
  • Preventing OWASP Top 10 attacks at the root, especially business logic abuse, injection attempts, and broken authorization exploits, by eliminating attacker access to unauthenticated and authenticated API semantics.
  • Disrupting reconnaissance and pre-exploitation stages, denying adversaries the contextual access they need to fingerprint services, test inputs, or discover authorization misconfigurations.
  • Delivering zero-visibility application sessions, ensuring that APIs remain opaque to both manual and automated probing tools without introducing friction to legitimate users.

By operating as a transparent overlay, Codesealer requires no code changes and supports both legacy and modern API infrastructures. It serves as a proactive defense layer that neutralizes threats long before conventional tools would even detect them.

If your API security strategy is still focused on known signatures and reactive blocking, it’s time to rethink your defenses. Codesealer enables a forward-leaning posture that protects APIs by design—keeping your attack surface invisible, encrypted, and unexploitable.

Codesealer Free Trial Available

Take a deep dive into the technology, get in touch with us, or try Codesealer totally free.

We have something for both managers and developers. Click below to find out about what next steps you can take.

Learn More About Codesealer
image saying 'protected by Codesealer'
Privacy Policy
Njalsgade 76, 3rd FloorCopenhagen, Denmark
Codesealer
Our ProductDeployment Options and PricingSee Codesealer in ActionTry It YourselfLearn MoreCodesealer Portal
Features
API EncryptionAPI ConcealmentSecure Code DeliverySeamless IntegrationNo Code ChangesRuntime Protection
Resources
White PapersCybersecurity InsightsDemo VideosAPI Security Best PracticesOWASP Top 10 StandardsPCI DSS v4.0
Company
About UsPrivacy PolicyContact Us