The API Security Threat: Are You Protecting Your Customers?

APIs have made it inherently easier for companies to share applications, code and data. But they’re also opening enterprises to new security threats that are not being properly addressed, according to a new report.

The Global State of API Security Survey 2015 (registration required) from Akana Inc. found that the majority of companies surveyed—65 percent–don’t have proper security in place to ensure that the data being accessed by apps using their APIs is managed securely. Among the top API security threats cited by respondents are JSON Scheme, DDoS, message-level security and encryption.

The finding is troubling because mobile applications and the increasing adoption of the Internet of Things means more devices are consuming APIs, exposing enterprises to new threats of unauthorized data access, the company said.

Perhaps even more disconcerting for API security is that even though APIs aren’t being secured in any critical way, more than 60 percent of respondents said they were confident in API security, according to the report. However, more than 30 percent admitted to being unsure about the state of their API security.

Akana specializes in API management and security, and the report is its first evaluation of the state of API security in the enterprise. The survey polled more than 250 security practitioners, including CSOs, CISOs and security architects. More than 50 percent of the executives surveyed are from large global organizations.

The report is meant to be a jumping off point for companies to begin addressing the disconnect between the confident and increased use of APIs and the security to keep these data transactions safe, said Roberto Medrano, an executive vice president at Akana, in a press release.

“APIs are new enough in the enterprise that people want the latest on how industry peers are dealing with security threats,” Medrano said. “We felt there was an opportunity to ask others to share their insights and worries. The survey report should be a helpful starting point for determining best practices in API security going forward.”

The survey also found that many of the respondents—45 percent–aren’t putting a rate limit on access to their APIs, which can reduce the risk of hacking. Moreover, API security is enough of an issue that it is going beyond the IT security level to the realm of business decision makers, with 75 percent of respondents saying that it’s a CIO-level concern, and 65 percent indicating it was an issue for business manager, according to the report.