A new survey examining application programming interface (API) security practices shows that few enterprises have taken steps to ensure sensitive data is being securely handled in the apps that access APIs.
Akana, formerly SOA Software, on Wednesday released the findings of its survey of more than 250 security practitioners, including CSOs, CISOs and security architects, with more than half being from large global organizations. It was conducted in light of API becoming a dominant channel of exchanging data between both external and internal audiences and services.
Sachin Agarwal, vice president at Akana, tells Channel Partners that, with mobile usage increasing, APIs are becoming the de facto standard for digital enterprises to exchange and share data with mobile, the Internet of Things or cloud apps.
“However, as API usage is increasing, so are the threats that are specific and unique to the API channel,” he said. “The survey points to CIOs becoming increasingly concerned about API security. Also, there seem to be serious gaps in how the data being accessed by the apps themselves is secured once it is accessed through the APIs.”
JSON Scheme, DDoS, message-level security and encryption were among the top API security threats revealed by the survey.
Nearly two-thirds (65 percent) of respondents said they do not have processes in place to ensure that data accessed by apps consuming APIs is managed securely. Also, nearly three in five (60 percent) of respondents said they were not securing API consumers.
“The most surprising learning was that …
… one of the most common forms of preventing API threats, rate limiting, is often (more than 50 percent) ignored by enterprises,” Agarwal said. “Some of the most notable API hacks, like the SnapChat hack in December 2013 where 300 million customer accounts were compromised, could have been prevented by implementing rate limiting.”
API security is as much an issue for the business as it is for IT, with three in four (75 percent) of respondents saying API security was a CIO-level concern and 65 percent saying it is an issue for business managers.
The survey results do suggest opportunities for the channel, Agarwal said.
“Just as the rise of Internet and Web led to the rise of adoption of Web application firewalls and intrusion-detection firewalls, similarly we see an opportunity for API gateways to act as security gateways to secure enterprises from threats to their APIs,” he said.
The survey suggests an “emerging digital divide” as high-performing companies embrace core digital capabilities and APIs to move ahead, said Roberto Medrano, executive vice president at Akana. Enterprises need to recognize and take steps to mitigate the additional threat vectors to which they may be exposing their data and organization, he said.
“The maturity level around API security is still not there, but we see an improving trend, with API security now becoming critical for (corporate-level) officers,” Agarwal added.