The Biggest API Security Red Flags

API security lapses are now common and public. AI apps and interconnected ecosystems are increasing risk and complexity. It is no coincidence that attackers have pivoted to target API endpoints.

Businesses need to reevaluate their API security strategy to ensure they are ready to defend their API-based applications. But where should they start?

In this infographic, we delve into the top five API security red flags that every organization should be aware of. By better understanding these signs, businesses can recognize top risks and proactively address them to improve their holistic approach to API security.

Click the tabs to learn about API security red flags
You don’t know where all your APIs are
  • API sprawl is shockingly pervasive. According to the Datos API Security Solution Evaluation Guide, the number of APIs in use by 2030 will exceed 2 billion, with organizations already using more than 20,000 APIs on average.
  • API endpoints represent a unique challenge. Per F5’s 2024 State of Application Strategy Report, “an individual API can have dozens or hundreds of endpoints.” To make things even more complicated, an organization may not fully control all the APIs that make contact with their systems.
  • Postman’s 2023 State of the API report identified the following obstacles to consuming APIs:
    • Lack of documentation (52%)
    • Difficulty in discovering APIs (32%)
world with security signs
There is ambiguity in your organization’s attack surface
  • The Datos API Security Solution Evaluation Guide explains the core problem: “The enumeration of the API attack surface is essential to securing APIs. CISOs cannot protect what is not known. API discovery is needed to identify shadow, orphan, out-of-version, and dated APIs.”
  • APIs are crucial to any modern business. As described by Venture Beat, “APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions.”
  • And because they play a key role, APIs are a popular target for cybercriminals. 90% of web-based cyberattacks target API endpoints and the number of API-origin attack records compromised has exceeded 1 billion.
Digital Government / Digital Services
Your security stack is too complex
  • Today’s apps and APIs are being deployed into a hybrid, multicloud landscape. As reported in the 2024 State of Application Strategy Report, nearly 90% of organizations are operating in hybrid deployment models, including SaaS, public cloud/IaaS, on-premises (traditional), on-premises (private cloud), colocation, and edge.
  • From the same report: the number of organizations running in six different models increased almost 20% from 2023 to 2024.
  • 66% of large enterprises (with 10,000+ employees) typically use 60–80 security tools—partly because of the dedicated tools necessary to address specific needs across multiple cloud environments.
cloud triangle
Maintaining your security posture is too manual
  • With so many APIs and endpoints, manual security updates aren’t sustainable. Automating API securing can dramatically reduce the need for manual updates, as demonstrated in this McGraw Hill case study documenting their efforts to reduce the complexity of managing 18 million monthly API requests.
  • State of Application Strategy survey respondents report that manual patching and updating isn’t fast enough when responding to zero day attacks, with many decision makers reporting that the high cost of successful attacks makes app and API security automation a must-have. To that end, app and API automation increased from 33% to 43% over the past year. The number of CVEs published is accelerating, and F5 Labs researchers  expect 500 new CVEs to be published in a typical week in 2025.
  • Increasing adoption of generative AI also has implication for app and API security; the top use case for generative AI in security is automatically adjusting security policies and generating security configurations on threats detected.
Legacy Modernization
You’re worried about securing AI apps
  • Securing generative AI starts with a foundation of good app and API security. This is described succinctly by Mete Atamel, cloud developer advocate for Google: “No matter how you’re using gen AI, at the end of the day, you’re calling an endpoint either with an SDK or a library or via a REST API.”
  • Two months after the launch of the OpenAI GPT Store, users have already created over 3 million custom versions of ChatGPT demonstrating the scale of the security challenge associated with securing third party providers.
  • IDC reports that, “66% of respondents point out GenAI, and broadly, public and private AI workloads, as one of their top use cases.” They found  that “most enterprise AI-powered applications are highly distributed in their implementation, requiring 10s to 100s of API interactions that need to traverse a diverse set of public cloud, specialized cloud, and on-premises infrastructure and application environments in a highly available and secure manner. F5 researchers also found that most organizations anticipate deploying AI apps in hybrid and multicloud environments, with State of Application Strategy survey respondents indicating they would maintain AI apps in the public cloud (80%) and on-premises (54%).  
Identity and Access Management

Learn how F5 can help improve your organization’s holistic approach to API security.