API Security Trends 2025

95% of API attacks originated from authenticated sources, and 98% of attack attempts targeted external-facing APIs.

37% have deployed specialised AI security tools, and 40% are deploying code reviews and security testing.

37% evaluate improvements to compliance posture for evaluating API security effectiveness, 25% measure ROI through cost savings achieved by preventing security breaches, and 16% measure reductions in API-related security incidents to measure program success.

59% of respondents are still in the planning or basic stages of API security strategies, and only 6% reported advanced API security programs.

99% of respondents experienced API security issues in the past 12 months.

Regarding Generative AI (GenAI), 47% of respondents expressed concerns about securing AI-generated code, and 40% cited potential vulnerabilities introduced by AI-generated code as a top risk. Only 11% do not perceive the use of GenAI applications as a growing security concern.

30% of organisations reported a 51-100% growth in the number of APIs they manage over the past year, while 25% experienced growth exceeding 100%.

54% of attacks observed related to security misconfigurations (API8), while 27% related to broken object-level authorization (API1). In contrast, vulnerabilities such as broken user authentication (API2) and security monitoring and logging failures (API7) only relate to 1% of attacks.

56% of survey respondents are prioritising developer training for the unique security challenges of AI-generated code.

55% slowed the rollout of a new application due to API security concerns.

Only 10% of organisations currently have an API posture governance strategy in place, but 43% plan to implement such a strategy within the next 12 months.

69% of organisations increased their API security budgets by more than 5%.

Only 15% expressed strong confidence in the accuracy of their API inventories, while 34% admitted they lack visibility into sensitive data exposure through APIs. Additionally, only 20% of respondents have measures in place to continuously monitor APIs.

80% of attack attempts align with the threats outlined in OWASP API Security Top 10 list.

37% of reported security challenges in production APIs were due to vulnerabilities, such as injection attacks and Broken Object-Level Authorization (BOLA), 34% due to sensitive data exposure, and 29% due to API authentication weaknesses.

43% of organisations now manage up to 100 APIs, while 34% oversee between 101 and 500 APIs daily.