In this age of app-centric working and the cloud, the majority of companies are running some form of an API management platform, either developed in-house or from a commercial provider. However, the security features included in these API management platforms are inconsistent, with many lacking basic rate limiting functionality.
According to a study from Ovum, about 87% of respondents were running an API management platform, with 63% using a platform developed in-house. The purpose behind using APIs is varied. Half (51%) of respondents said that their rationale for API deployment was to enable their external developer ecosystem. Meanwhile, 67% said partner connectivity was the main goal, while 62% cited mobility and 57% cited cloud integration. While these are worthy goals, the study reveals that they come with API security woes.
“The use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing and innovation is being fueled by companies finding new ways to monetize their software assets by exposing APIs to outside developers,” said Rik Turner, senior analyst at Ovum. “However, exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.”
The majority (83%) of those surveyed said that they were concerned with API security—because API management platforms lack critical features and automation. For instance, rate limiting, considered to be a basic API security practice, was employed by less than half of respondents. Only 21.9% of respondents had protection from API malicious usage, API developer errors, automated API scraping, and web and mobile API hijacking.
And, more than two-thirds of respondents were spending over 20 hours a month managing API rate limiting, showing a deep lack of automation.
Further, one-third (30)% of APIs are spec'd out without any input from the IT security team and 27% of APIs proceed through the development stage without the IT security team weighing in. About a fifth (21%) of APIs go live without any input from security professionals.
“APIs impact business and the world around us more than most people realize. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices,” said Rami Essaid, co-founder and CEO of Distil Networks, which sponsored the survey. “CIOs and CISOs need to get a handle on how responsibility is addressed within their organizations and decide whether the process is sufficiently robust.”
Also of note is the lack of responsibility for API security. There is nearly an even split between those that give responsibility for API Security to their developers and those that allocate it to the IT security team: 53% of respondents feel security teams should be responsible for API security, while 47% believe the developer teams should hold responsibility.
Photo © kentoh