New Ovum Study Looks at API Security Practices, Revealing Basic Security Measures and Attack Vectors Overlooked

April 6, 2016

Only 21.9 Percent of Respondents’ API Management Platforms Provide Protection from API Abuse, Developer Errors, Automated API Scraping, and Web and Mobile API Hijacking

San Francisco, CA – April 7, 2016 – Distil Networks, Inc., the global leader in bot detection and mitigation, today released the results of a survey on application programming interface (API) security titled, “API Security: A Disjointed Affair.” The survey and report conducted by Ovum Consulting, a leading global technology research and advisory firm, asked IT and security professionals across a variety of industries globally about their use of APIs, adoption of API management platforms, and the security features included in those platforms.

“The use of APIs to enable applications to interact across single and multiple infrastructures is skyrocketing and innovation is being fueled by companies finding new ways to monetize their software assets by exposing APIs to outside developers,” said Rik Turner, senior analyst at Ovum. “However, exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.”

According to the report, the majority of companies surveyed are running some form of an API management platform, either developed in-house or from a commercial provider. However, the security features included in these API management platforms are inconsistent, with many lacking basic rate limiting functionality. Also of note is the lack of responsibility for API security. There is nearly an even split between those that give responsibility for API Security to their developers and those that allocate it to the IT Security team.

“APIs impact business and the world around us more than most people realize. The fact that API security is flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices,” said Rami Essaid, co-founder and CEO of Distil Networks. “CIOs and CISOs need to get a handle on how responsibility is addressed within their organizations and decide whether the process is sufficiently robust.”

Key Findings

The purpose behind APIs

  • 51 percent of respondents said that their rationale for API deployment was to enable their external developer ecosystem
  • 67 percent said partner connectivity was the main goal while 62 percent cited mobility and 57 percent cited cloud integration

API security woes

  • 83 percent of those surveyed were concerned with API security
  • 87 percent of respondents were running an API Management platform, with 63 percent using a platform developed in-house

API management platforms lack critical features and automation

  • Rate limiting, considered to be a basic API security practice, was employed by less than half of respondents
  • Over two-thirds of respondents were spending over 20 hours a month managing API rate limiting
  • Only 21.9 percent of respondents had protection from API malicious usage, API developer errors, automated API scraping, and web and mobile API hijacking

Who is responsible for API security

  • 53 percent of respondents feel security teams should be responsible for API security, while 47 percent believe the developer teams should hold responsibility
  • 30 percent of APIs are spec'd out without any input from the IT security team and 27 percent of APIs proceed through the development stage without the IT security team weighing in
  • 21 percent of APIs go live without any input from security professionals

To download a copy of Ovum’s “API Security: A Disjointed Affair” report, visit;

To download a copy of Ovum’s “The Inconvenient Truth About API Security” infographic, visit;

To learn more, attend the live webinar on Tuesday, April 12, 2016;


About Distil Networks
Distil Networks, the global leader in bot detection and mitigation, is the first easy and accurate way to identify and police malicious website traffic, blocking 99.9% of bad bots without impacting legitimate users. Distil protects against web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. Slash the high tax that bots place on your internal teams and web infrastructure and make your online applications more secure with API security, real-time threat intelligence, a 24/7 security operations center, and complete visibility and control over human, good bot, and bad bot traffic. For more information on Distil Networks, visit us at or follow @DISTIL on Twitter.

Previous Article
Distil Networks Launches New API Security Solution Designed to Reduce Risk and Downtime Across Critical API Attack Vectors
Distil Networks Launches New API Security Solution Designed to Reduce Risk and Downtime Across Critical API Attack Vectors

Distil Networks, Bot Detection and Mitigation Leader Expands Product Portfolio Leveraging Expertise in Devi...

Next Article
Distil Networks’ Third Annual Bad Bot Landscape Report Finds Advanced Persistent Bot Activity on the Rise, Despite Overall Decrease in Bad
Distil Networks’ Third Annual Bad Bot Landscape Report Finds Advanced Persistent Bot Activity on the Rise, Despite Overall Decrease in Bad

Google Chrome Most Popular Bad Bot Disguise; Rapid Bad Bot Growth from Chinese ISPs; Bad Bots Skewing Googl...