Two in Three CIOs Admit Lacking in API Security Measures

Some 70% of IT professionals have no processes in place to ensure data accessed by applications consuming their APIs is managed securely, according to the Global State of API Security Survey 2015.

An API, or application program interface, is a set of routines, protocols and tools for building software applications that explain how software components should interact. The survey reveals that API security is an identified risk for many IT departments and business managers.

Almost two-thirds of API owners do not consider the security of their data an issue once it leaves their domain via the API, the report authors say. When filtering for organizations with more than 50 APIs in production, the percentage who have no processes for checking the security of the API consumer falls to 43%. “This drop is possibly reflective of a generally more rigorous security policy in API-intensive organizations. Industry experience underscores the potential business impact of this threat,” researchers say.

Some 60% of respondents were “confident” or “very confident” in the security of APIs, with a fairly high level of confidence that connection will be secure. Yet almost 30% of respondents are unsure about their API security. Only 6% lacked confidence in API security. Although 60% of respondents felt confident in API security, 75% reported that API security was a CIO-level concern, as CIOs are responsible not only for operating and securing a new kind of software, but for complete business execution. API security was also an issue for business managers in 65% of respondents’ organizations.

Nearly 46% of survey respondents did not rate limit access to their APIs, a control that can reduce the risk of hacking. Larger organizations (1,000+) and shops with 50+ APIs were more likely to use rate limiting but, even then, more than 30% responded “Not Applicable.”

“This is alarming because rate limiting is one of the best countermeasures against distributed denial of service (DDOS attacks on APIs.),” the report authors conclude.

In 2013, the lack of rigorous security policy in API-intensive organizations exposed phone numbers and user names of Snapchat users. More than 4.6 million usernames and phone numbers were leaked on New Year’s Eve after anonymous hackers dubbed ‘Snapchat DB’ abused the application’s Find Friends service, according to HOTforSecurity.

The Global State of API Security Survey 2015 conducted 1,200 CIOs, CSOs and security specialists in May 2015.