Understand All About API Sprawl, it Being an Enabler of Modern Businesses, Zombie APIs, and the Need for Better Visibility

We interacted with Michael Nicosia, COO and co-founder of Salt Security, and found a wealth of information about Application Programming Interfaces (APIs). API security is one of the most critical needs to today’s digital landscape because of its role in customer interaction, and partner integrations.

APIs fuel companies by sharing data and are hence targeted by threat actors for being a lucrative attack vector. The number of APIs in organizations is growing at an unfathomable rate creating a need for better visibility and raising questions about its security posture.

Nicosia expressed concern over security risks stemming from undocumented ‘shadow’ and outdated ‘zombie’ APIs.

Read this interview to unearth details about API security threats observed this Q1, incomplete discovery, and the security needs of the evolving digital landscape of API security.

Vishwa: Please share about your professional choices, traits that help nurture Salt Security as a Co-Founder, and being a serial entrepreneur.

Michael: I have always been drawn to roles where I can help build something meaningful that helps to solve critical customer problems. Salt Security is another example of this. As a co-founder, my focus is on creating solutions that address one of the most critical security needs in today's evolving digital landscape - API security.

My core responsibilities include driving innovation, ensuring customer success, and navigating the complexities of API security.  Aside from my responsibilities in managing the business, I am also passionate about allocating time towards mentoring and developing individuals who have the potential to become leaders in the future.

Vishwa: Could you shed light on the rampant targeting of Application Programming Interface (API) with some examples and what led to successful cyberattacks?

Michael: Application Programming Interfaces (APIs) sit at the core of today’s modern applications and are built expressly to share a company’s most valuable data and services. Given the amount of sensitive information transmitted through APIs, they have become a highly lucrative attack vector for bad actors.

Our Salt Labs State of API Security Report Q1 2025 revealed that nearly all of the security professionals surveyed (99%) encountered API security issues within their organizations in the past 12 months. More than half (55%) also slowed the rollout of new applications due to API security concerns.

API security breaches continue to dominate national headlines and impact millions of consumers worldwide. In 2024, there were several notable breaches stemming from API abuse.

Most notably, technology giant Dell experienced a breach which exposed the records of 49 million customers due to an API vulnerability, where attackers exploited a partner portal API to access fake accounts​. Alarmingly, this attack was not novel or sophisticated. The attacker simply used a business logic flaw and an API to scrape the millions of records from Dell.

Most API attacks are simplistic whereby attackers exploit authentication weaknesses, posture gaps or commonly known risks such as those outlined in the OWASP API Security Top 10. With proper tooling that enables organizations to discover all of their APIs and proactively remediate posture gaps, API attacks can be easily prevented.

Vishwa: What is your observation about APIs becoming a core component of organizations’ tech stacks?

Michael: APIs are the core enabler of modern business operations. As digital services proliferate, APIs allow various applications to communicate or integrate seamlessly with each other and share information.

They drive customer interactions, partner integrations, and operational automation. As enterprises increasingly adopt cloud-native architectures, microservices, and third-party integrations, the number of APIs within organizations' tech stacks has increased exponentially.

Our research found that nearly one-third (30%) of organizations reported a 51-100% growth in the number of APIs they manage over the past year, while one-quarter of organizations experienced growth exceeding 100%.

This rapid growth, often referred to as API sprawl, can complicate security and management efforts as traditional security tooling is not equipped to deal with the specific challenges of API attacks.

Vishwa: Where do API posture gaps persist? Which is the most powerful API attack based on its impact?

Michael: API posture gaps persist in several key areas. A primary concern is incomplete API discovery and inventory, where organizations struggle to maintain visibility over the rapidly growing number of APIs, including undocumented "shadow" and outdated "zombie" APIs. This lack of a complete picture hinders effective security.

Another significant gap lies in broken authentication and authorization. APIs are frequently targeted due to weaknesses that allow attackers to bypass login controls or access data and functions they shouldn't, a common issue highlighted in the OWASP API Security Top 10.

Business logic flaws also remain a prevalent gap. As seen in breaches like the Dell example, attackers exploit logical weaknesses unique to an API's function to gain unauthorized access to sensitive data, even without sophisticated technical exploits.

When assessing the most impactful API attack, Broken Object Level Authorization (BOLA) is often highlighted. Frequently appearing at the top of the OWASP API Security Top 10, this attack enables attackers to retrieve sensitive data by altering object identifiers in API requests. The risk of large-scale data exposure and the ensuing repercussions contribute to its significant impact.

Vishwa: What are the threats posed by GenAI to application security and APIs?

Michael: Generative AI (GenAI) has enabled developers to create new code and APIs quickly and at scale, expediting organizations' digital innovation efforts. While greatly advantageous from a broader business perspective, GenAI has created significant security challenges from an API and application security standpoint. Our research found that only 11% of security professionals surveyed do not perceive the use of GenAI applications as a growing security concern within their organization

GenAI applications can generate thousands of new APIs within minutes. Security teams cannot keep pace with manually tracking each of these APIs, while also ensuring that they meet set industry and organizational policies as well as best practices. That is why it is more crucial than ever before that organizations adopt purpose built tooling that can autonomously assist with API discovery, highlight posture gaps and deviations from industry best practices, and provide detailed threat intelligence of possible malicious activity.

Vishwa: Please elaborate on some of the best practices for securing an organization's application layer and APIs.

Michael: Strong API security starts with complete visibility into one’s entire ecosystem. As you cannot protect against what you cannot see, organizations must identify and assess the security risk of every API, including shadow and zombie APIs, as well as understand the unique behavioral attributes of each of their APIs.

Organizations must also implement strong API posture governance mechanisms that ensure adherence to compliance requirements and industry best practices throughout the API lifecycle. This includes consistent security configurations, and the implementation of proper authentication and authorization mechanisms.

To prevent and mitigate today's API attacks, organizations should also implement best practices in development and testing. Promoting secure API design and development, reducing exposure of sensitive data, conducting design reviews, and maintaining accurate API documentation are crucial for successful API protection.

Continuous monitoring of API traffic and robust threat intelligence is also essential for identifying early indicators of malicious behavior. By deploying advanced AI-driven solutions, organizations can analyze vast amounts of anomalous API traffic in real-time to effectively pinpoint malicious activity and swiftly remediate any security gaps before an attacker can strike.

Organizations must adopt a proactive and comprehensive strategy to address the evolving API security landscape. This includes prioritizing real-time monitoring, adhering to established security frameworks and best practices, and investing in advanced AI-driven solutions. 

Vishwa: The website of Salt Security says that it offers the only solution architected specifically to secure modernized, cloud-based app architectures. Can you provide more details about this solution?

Michael: The Salt Security API Protection Platform combines cloud-scale big data with machine learning and artificial intelligence to detect and prevent API attacks. Its patented approach blocks “low-and-slow” attacks, providing adaptive intelligence to protect APIs. By correlating activities across millions of APIs and users, Salt offers deep context, real-time analysis, and continuous insights into API threats, including those in the OWASP API Security Top 10 list.

Many organizations find it challenging to maintain a thorough and current inventory of their APIs across various cloud environments. Dedicated to combatting this challenge, we recently launched a new offering, Salt Cloud Connect, which equips security and DevOps teams with immediate visibility into their APIs across multiple cloud platforms, simplifying discovery and onboarding. Salt Cloud Connect offers a simplified, agentless solution for identifying and categorizing APIs across diverse cloud platforms. It delivers instant insights and accelerates time to value, ensuring a full and current API inventory.

Salt Cloud Connect delivers immediate insights into an organization's APIs across AWS, Azure, and GCP, ensuring thorough protection. With Salt Cloud Connect, organizations can quickly spot and oversee their APIs, eliminating blind spots and accelerating onboarding processes, which helps them implement and maintain posture governance for every identified API.

Vishwa: Could you share your analysis and predictions about what the future holds for cybersecurity in 2025 and beyond?

Michael: As APIs have evolved into essential enablers for business operations and digital transformation efforts, they will continue to be sought-after attack vectors for cybercriminals this year and beyond. Protecting against rising API abuse must be a top priority for organizations.

This year, organizations should prioritize maturing and formalizing their API security strategy and strengthening their overall API posture. In 2025, we are likely to see a rise in sophisticated API attacks using automation, artificial intelligence, and advanced evasion techniques to exploit vulnerabilities and bypass traditional security measures.

The use of GenAI for API development may also lead to a rise in API misconfigurations, which often occurs due to fast paced development and deployment.

APIs have become crucial IT assets requiring the same scrutiny and protection as any other valuable resource. AI-powered API security solutions, particularly those with strong behavioral threat detection capabilities, are essential for identifying and responding to sophisticated threats in real-time.

These solutions can analyze vast amounts of API traffic and highlight genuinely malicious activities within the overwhelming amount of anomalous traffic that might otherwise go unnoticed. By proactively addressing API security challenges, businesses can safeguard their critical assets and ensure the ongoing success of their digital initiatives in the face of evolving threats.