In an app-centric environment, most companies operate API platforms, either developed in-house or sourced from an operator. But in both cases, the security functions of these platforms are largely lacking, whether basic or advanced. This, at least, is the conclusion of a recent Ovum study, which can be found at InfosecSecurity
"The use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing and innovation is being fueled by companies finding new ways to monetize their software assets by exposing APIs to outside developers," said Rik Turner, senior analyst at Ovum. "However, exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed."
The majority (83%) of those surveyed said that they were concerned with API security-because API management platforms lack critical features and automation. For instance, rate limiting, considered to be a basic API security practice, was employed by less than half of respondents. Only 21.9% of respondents had protection from API malicious usage, API developer errors, automated API scraping, and web and mobile API hijacking.
And, more than two-thirds of respondents were spending over 20 hours a month managing API rate limiting, showing a deep lack of automation.
Further, one-third (30)% of APIs are spec'd out without any input from the IT security team and 27% of APIs proceed through the development stage without the IT security team weighing in. About a fifth (21%) of APIs go live without any input from security professionals.
"APIs impact business and the world around us more than most people realise. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices," said Rami Essaid, co-founder and CEO of Distil Networks, which sponsored the survey. "CIOs and CISOs need to get a handle on how responsibility is addressed within their organizations and decide whether the process is sufficiently robust."