Application programming interfaces (APIs) are the backbone of the digital world, and as such, API security needs to be tight. However, we have seen recently just how lax API security has been. The Nissan Leaf storymay have been the most vivid example of API security failure, but there are others, like a vulnerability in Tinderthat compromises user security.
This security failure is more than likely coming from the lack of oversight on app development. An Ovum survey, in partnership with Distil Networks, found that organizations aren’t putting enough emphasis on API security.
The study found that while the majority of companies use an API management platform, the security features are inconsistent. In fact, too many lack basic security functionality. Another major security issue in APIs is one that we hear way too often – who is in charge of API security? According to the study, 53 percent of the respondents think that responsibility should belong to the organization’s security team, while 47 percent said the API’s development team should be in charge of security. That’s pretty evenly split – something you don’t see much in these surveys – which, I think, highlights the struggle. If organizations can’t come to a consensus on who is in charge of API security, what usually happens is no one is in charge. What results are problems like Android’s API vulnerability that leaks sensitive data.