Application programming interfaces (APIs) are the backbone of the digital world, and as such, API security needs to be tight. However, we have seen recently just how lax API security has been. The Nissan Leaf story may have been the most vivid example of API security failure, but there are others, like a vulnerability in Tinder that compromises user security.
This security failure is more than likely coming from the lack of oversight on app development. An Ovum survey, in partnership with Distil Networks, found that organizations aren’t putting enough emphasis on API security.
The study found that while the majority of companies use an API management platform, the security features are inconsistent. In fact, too many lack basic security functionality. Another major security issue in APIs is one that we hear way too often – who is in charge of API security? According to the study, 53 percent of the respondents think that responsibility should belong to the organization’s security team, while 47 percent said the API’s development team should be in charge of security. That’s pretty evenly split – something you don’t see much in these surveys – which, I think, highlights the struggle. If organizations can’t come to a consensus on who is in charge of API security, what usually happens is no one is in charge. What results are problems like Android’s API vulnerability that leaks sensitive data.
With 83 percent of respondents admitting that they are concerned about API security, there is clearly a need for action. So what is the solution? It might be as simple as bringing API development in-house whenever possible. As Rik Turner, senior analyst at Ovum, said in a formal statement:
Exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.
Ownership may make a difference. We’ve seen elsewhere that security is taken more seriously when there is true ownership, whether it be security on devices, in the cloud, or with applications.
As Turner stated in the release, use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing, and we will continue to see innovation in the development of APIs. Companies are going to take advantage of these innovations to improve their own digital posture. For this reason, I think it is vital to heed the words of Rami Essaid, co-founder and CEO of Distil Networks, said in response to the survey results:
APIs impact business and the world around us more than most people realize. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices
If companies aren’t able to get a handle on this now, we could be looking at a very serious security mess in the not-to-distant future.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.