The front lines of information security risk management evolve in parallel with the dominant technologies in common use. The emergence of the web brought web-based threats and resulting countermeasures. The rise of SQL databases brought SQL injection and its mitigations. Now, we have the increasing usage and business importance of application programming interfaces (APIs), which are vital the development of mobile applications and the digital enterprise in general. APIs, like all technologies, have security vulnerabilities. In fact, the very openness that makes them so useful in expanding the enterprise into the digital realm can itself be an avenue of risk exposure.
API security risks are also potentially worse, in business impact terms, than earlier generations of information security risk. APIs are often a key part of fast-track application development, enabling processes such as DevOps and connecting multiple corporate entities in rapid implementation cycles. While great for business, these capabilities can also expose more than one business to risks that might have previously been limited to a single corporation. Liability and compliance risks also grow with the increases in pace and connectivity.
Akana works with many clients worldwide who are concerned about API security issues. To help them and the broader industry gain a better understanding of the state of API security, we conducted a survey of 1,200 IT professionals on the subject in May, 2015. The respondents came from a range of industries and organization sizes. The survey reveals, perhaps not surprisingly, that API security is an identified risk for many IT departments and business managers. The specific ways that companies handle API security do vary, though, with organizations with larger portfolios of APIs in production having more aggressive and sophisticated API security policies in effect. The size of the organization overall does not appear to have much effect on the level of API security in use.