Basic API security measures are often overlooked
APIs are the glue that holds much of the digital world together, connecting systems, apps and data. But a new survey reveals that many organizations are failing to place enough emphasis on API security.
Research company Ovum in partnership with bot detection and mitigation firm Distil Networks, surveyed 100 IT and security professionals. They found that 30 percent of APIs are planned out with no input from the IT security team and 27 percent of APIs proceed through the development stage without the IT security team weighing in.
Other findings include that 87 percent of respondents were running an API management platform, with 63 percent using a platform developed in-house. However, rate limiting, considered to be a basic API security practice, was employed by less than half of respondents.
Of those surveyed 53 percent feel security teams should be responsible for API security, while 47 percent think the developer teams should hold responsibility.
It's clear that APIs have taken hold, with 20 percent of respondents saying they're maintaining, building, or publishing more than 50, while at the other end of the scale, 32 percent are working on between one and 10. The remainder are running somewhere between 11 and 50 APIs, but Ovum expects to see the number grow over the next few years.
A significant proportion are using public APIs that are exposed to developers outside their own companies. 51 percent say that at least part of the rationale for their APIs was to enable an external developer community/ecosystem, while 67 percent say that partner connectivity is a driving factor.
The report's authors note, "Our survey finds that most respondents are at least concerned with the issue of API security, which is as it should be. Furthermore, most of them are using some form of API management platform, and the majority of platforms in use provide some level of security capability. However, there is by no means blanket coverage of all aspects of API security by all platforms."
You can read more about the findings on the Distil Networks site.