Real Time Communications Featured Article

API Security: A New Concern at the C-Level

August 06, 2015

From chief security officers to chief information security officers and beyond, the C-level has a lot to think about in the course of its workday. A new report from Akana suggests that there's one big new concern for the C-level, and that's application programming interface (API) security practices. The report sought to get a handle on just how mature API security practices actually were, and while there were steps taken, there were still significant holes to address across the board.

The Akana report titled, “Global State of API Security Survey 2015,” offered up comment from over 250 individuals involved in security, including those C-level staffers as well as the more general security architect. Over half the responses came from global-scale operations so it's a sound look at the field overall. With APIs becoming an increasingly prevalent way of passing data among external and internal audiences alike, developing security methods appropriate to this field makes sense.

This became particularly true in light of the responses from the field. Over 65 percent of respondents had no processes in place to make sure the data accessed by APIs was managed securely. That's increasing the threat to data as more and more mobile apps, Internet of Things (IoT) tools and others are working like API consumers and accessing data accordingly. Moreover, nearly 60 percent of respondents weren't securing API consumers at all. Nearly half—over 45 percent—of respondents didn't run rate limit access on APIs, a measure that can help prevent hacking.

There were, however, bright points to the study. Seventy-five percent of respondents consider API security to be a chief information officer (CIO)-level concern, while 65 percent considered it a concern for business managers. Thus it's clear that there is a problem, even if those involved aren't quite sure as yet how to combat it. It's even become clear what specific threats are being considered; distributed denial of service (DDoS) was on the menu, as were encryption, security at the message level and JavaScript Object Notation (JSON) scheme issues.


In a way, this study is revealing good news. Companies clearly know that there's a threat, and that the threat is sufficiently serious to warrant concern at the highest levels of an organization. But knowledge of the threat isn't, as yet, generating action, and that's perhaps the biggest concern. This is a clear threat. Companies know it's a clear threat. So where is the action in response? Perhaps this report will help spur that one—Akana executive vice president Roberto Medrano seems to think it might, believing the report “...should be a helpful starting point for determining best practices in API security going forward”—but we should be beyond the best practices point by now. We should be well into execution.

Still, any step is a good step, and knowing a problem exists is the first step toward fixing the problem. The Akana report shows a good start made, but it's going to take a lot of work to get APIs secured in a field where such are becoming increasingly useful. But given that the C-level of firms seems to be coming around, security measures may emerge sooner than some might expect.

Edited by Stefania Viscusi

Article comments powered by Disqus

  Subscribe here for RTCW eNews