The inconvenient truth about API security
Ovum Consulting asked IT and security professionals across a variety of industries globally about their use of APIs, adoption of API management platforms, and the security features included in those platforms.
“The use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing and innovation is being fueled by companies finding new ways to monetize their software assets by exposing APIs to outside developers,” said Rik Turner, senior analyst at Ovum. “However, exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.”
According to the report, the majority of companies surveyed are running some form of an API management platform, either developed in-house or from a commercial provider. However, the security features included in these API management platforms are inconsistent, with many lacking basic rate limiting functionality. Also of note is the lack of responsibility for API security.
There is nearly an even split between those that give responsibility for API Security to their developers and those that allocate it to the IT security team.
The purpose behind APIs
- 51 percent of respondents said that their rationale for API deployment was to enable their external developer ecosystem
- 67 percent said partner connectivity was the main goal while 62 percent cited mobility and 57 percent cited cloud integration.
API security woes
- 83 percent of those surveyed were concerned with API security
- 87 percent of respondents were running an API Management platform, with 63 percent using a platform developed in-house.
API management platforms lack critical features and automation
- Rate limiting, considered to be a basic API security practice, was employed by less than half of respondents
- Over two-thirds of respondents were spending over 20 hours a month managing API rate limiting
- Only 21.9 percent of respondents had protection from API malicious usage, API developer errors, automated API scraping, and web and mobile API hijacking.
Who is responsible for API security
- 53 percent of respondents feel security teams should be responsible for API security, while 47 percent believe the developer teams should hold responsibility
- 30 percent of APIs are spec’d out without any input from the IT security team and 27 percent of APIs proceed through the development stage without the IT security team weighing in
- 21 percent of APIs go live without any input from security professionals.