I don’t think I’m off base saying this, but in our current Internet security culture, it seems like threats and other issues are taken seriously only when top management begins to recognize the problem. And as we know, C-level executives are almost always the last ones in the company to jump on the security bandwagon.
So, when CXOs do pay attention to a security problem, you can be pretty sure that it is the real deal.
Application program interface (API) security is one such threat. At the Black Hat USA 2015 conference earlier this month, Akana released the results of its survey, Global State of API Security Survey 2015, and it found that API security is becoming a C-level concern, even before it becomes, as ProgrammableWeb put it, a “full-blown crisis.”
According to the study, 75 percent believe that API security has to be a CIO-level concern. But at the same time, 65 percent said that processes aren’t in place to ensure that data accessed by applications is kept secure, and another 60 percent aren’t doing anything to secure API consumers.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The reason API security is lagging is because it is a relatively unknown quantity in the enterprise, and, as Roberto Medrano, EVP at Akana, said in a release, there seems to be a desire to see what other companies are doing for security before taking action.
Akana doesn’t need to look far to see that API security lapses are happening. A CSO article provided plenty of recent examples of companies like Starbucks and Snapchat with API-related vulnerabilities. The article added:
Why are APIs becoming the target of hackers? Because they’re everywhere, says Randy Heffner, API security analyst at Forrester Research. Just about every company is building APIs to support their web or mobile application because it allows them to innovate faster and bring outside content in.
And, like every other piece of software and hardware we use, APIs aren’t designed with security in mind. The rush to get them to market may also mean that they aren’t being properly tested for security, which makes them an easy target for hackers, because companies simply aren’t paying close attention. As ProgrammableWeb pointed out:
… [P]art of the problem with API security is that not only are there too many organizations that don’t have API usage policies in place, many of them also assume that a Web firewall will protect them from hacking.
The good news from the survey, though, is that it sounds like some at the executive level have begun to take notice that this is a real security threat and needs to be addressed. But, will they follow through?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba