Skip to main content

Basic API security measures are being overlooked

APIs are the glue that holds much of the digital world together, connecting systems, apps and data. But a new survey reveals that many organisations are failing to place enough emphasis on API security.

Research company Ovum in partnership with bot detection and mitigation firm Distil Networks, surveyed 100 IT and security professionals. They found that 30 per cent of APIs are planned out with no input from the IT security team and 27 per cent of APIs proceed through the development stage without the IT security team weighing in.

Other findings include that 87 per cent of respondents were running an API management platform, with 63 per cent using a platform developed in-house. However, rate limiting, considered to be a basic API security practice, was employed by less than half of respondents.

Of those surveyed 53 per cent feel security teams should be responsible for API security, while 47 per cent think the developer teams should hold responsibility.

It's clear that APIs have taken hold, with 20 per cent of respondents saying they're maintaining, building, or publishing more than 50, while at the other end of the scale, 32 per cent are working on between one and 10. The remainder are running somewhere between 11 and 50 APIs, but Ovum expects to see the number grow over the next few years.

A significant proportion are using public APIs that are exposed to developers outside their own companies. 51 per cent say that at least part of the rationale for their APIs was to enable an external developer community/ecosystem, while 67 per cent say that partner connectivity is a driving factor.

The report's authors note, "Our survey finds that most respondents are at least concerned with the issue of API security, which is as it should be. Furthermore, most of them are using some form of API management platform, and the majority of platforms in use provide some level of security capability. However, there is by no means blanket coverage of all aspects of API security by all platforms."

You can read more about the findings on the Distil Networks site.

Image Credit: Profit_Image / Shutterstock