White Papers

Ovum Survey on API Security

Learn about the changing threat landscape of bots and botnets. Our bot detection & bot mitigation white papers show how to address them with Distil Networks.

Issue link: https://resources.distilnetworks.com/i/660988

Contents of this Issue


Page 1 of 13

API Security: A Disjointed Affair © 201 6 Ovum. All rights reserved. Unauthorize d reproduction prohibited. Page 2 Summary Catalyst This white paper analyzes the findings of a survey, carried out by Ovum with the sponsorship of Distil Networks , into the state of application programming interface (API) security. We asked 100 companies across a variety of industries in North America, Eur ope , and Asia - Pacific, ranging from midmarket firm s to large enterprises, about their use of APIs, their adoption of API management platforms , and the security features that such platforms offer. We also sought understanding of their general awareness and concerns regarding security in the context of the so - called API economy. Ovum view The use of APIs to enable applications to interact across single and multiple corporate infrastructures is an ever more widespread activity. Indeed, it is now common to refer to an " API economy " in which companies are findi ng new and innovative ways of monetizing their software assets by exposing APIs for developers to harness the power of their features and functions. However, with the growing popularity of " public " APIs, i.e. ones that are exposed to developers outside th e company that owns them, come security risks, as their very popularity makes them an interesting target for cyber criminals. Our survey finds that most respondents are at least concerned with the issue of API security, which is as it should be. Furthermore , most of them are using some form of API management platform, and the majority of platforms in use provide some level of security capability. However, there is by no means blanket coverage of all aspects of API security by all platforms. Even more critica lly, the survey finds a lack of consistency in the way that security is incorporated into API development. Nearly one - third of APIs go through specification without being looked at by the company ' s IT security team. Nearly 30% of APIs continue through the development stage without IT security providing thoughts or comments, and an astonishing 21 % go live without any in put from security professionals. The message for CIO s /CISOs from these figures is obvious: t hey need to understand how API s ecurity is being managed within their own organizations. Undersecured APIs increase an enterprise ' s attack surface, exposing application structure and data to potential hackers. Our survey found that the largest proportion of API management platforms in use offered some d egree of protection from developer error, but only a smaller number were concerned with protecting APIs from malicious usage or automated scraping by a bot , which can pull down online content and data within minutes, a risk that is clearly growing as more hackers begin to target APIs. Other holes in API security included W eb and mobile API hijackin g in which hackers dissect how W eb and mobile a pps are interacting with APIs. As mentioned, Ovum was encouraged to see that the majority of respondents were conce rned about the security of their APIs. However, the survey also reveals a significant minority of respondents who are not preoccupied with the issue of API security at all: 1 7% said they were not concerned with the matter at all. As most of this group was running an API management platform, this suggests that they are comfortable with the security features it offers, even though many platforms have no protection from automated scraping, for instance. Ovum perceives a need for more information on how much tr affic bots are now driving on the I nternet, including ones making API calls, as well as the fact that a number of them are malicious.

Articles in this issue

Archives of this issue

view archives of White Papers - Ovum Survey on API Security