What to Consider Before Developing an API Security Strategy

eWEEK DATA POINTS: Enterprises first must understand the very nature of their API infrastructures. Most are not even aware of how many APIs they have to begin with.

API.security2

Recent incidents at Salesforce, Facebook, Google+—not to mention the Equifax breach and the Cambridge Analytica scandal that plagued Facebook—point directly to the unsettling reality that API security is often an afterthought for enterprises. Such incidents serve as a major wake-up call for enterprise security teams everywhere.

An application program interface (API) is code that allows two software programs to communicate with each other. The API defines the correct way for a developer to write a program that requests services from an operating system or other application.

Enterprises first must understand the nature of their API infrastructures. Most are not even aware of how many APIs they have in the first place.

In this eWEEK Data Point article, using new research from Ping Identity based on a survey of 100 security and IT professionals, we offer five API security issues of which to be aware as you consider your holistic API security strategy.

Data Point No. 1: API sprawl is a growing issue.

Twenty-five percent of respondents say their company has more than 1,000 APIs, while 35 percent report having between 400 to 1,000 APIs. This suggests that APIs are continuing to expand at an accelerated rate. A January 2018 survey found that companies manage 363 different APIs on average, with 39.2 percent managing between 400 to 1,000 APIs and 7.2 percent managing more than 1,000 APIs. Determining how many APIs your enterprise has is the first step in figuring out your security liability and strategy.

Data Point No. 2: Lack of visibility into APIs is all too common.

Forty-five percent of respondents aren’t confident in their security organization's ability to detect whether a bad actor is accessing their APIs. In fact, 51 percent aren't even confident their security team knows about all of the APIs that exist in the organization. This illustrates one of the greatest obstacles to effective API security today—the people trusted with securing APIs don’t always know where they are. As the saying goes: You can’t protect what you can’t see.

Data Point No. 3: API breaches are often a black box.

Thirty percent of respondents don’t know whether their organization has experienced any breaches, leaks or other security incidents involving APIs. It’s no wonder API security is overlooked so often when it’s talked about so little. To make it a priority, security teams need to find more and better ways to communicate the urgency of API security to organizational leadership.

Data Point No. 4: Nation-states could weaponize APIs next.

Seventy-five percent of respondents believe we will see nation-states targeting or exploiting APIs in the next year. As the API economy expands to every corner of modern business and society, the arrival of sophisticated state actors is inevitable. The question security teams need to ask is whether they are ready for it.

Data Point No. 5: Financial services and government believed to be at higher risk

Forty percent of respondents believe financial services companies will the most heavily-targeted industry for API attacks in the coming year. Government came in second with 20 percent of the vote. Looking ahead to 2019, expect more sophisticated attacks on APIs, especially in industries where the data moving between applications and services is extremely valuable.

If you have a suggestion for an eWEEK Data Point article, email cpreimesberger@eweek.com.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...