The volume of application programming interfaces (APIs) grew between 2020 and 2021. Postman called the global growth of the API ecosystem “impressive,” noting how it witnessed a 39% increase in the number of collections created up to 30 million. It observed an even greater growth in the number of API requests created, 855 million, constituting a 56% rise.
Why Is This a Good Thing?
APIs provide organizations with several benefits. Per Thomson Reuters, APIs can help organizations save time and resources by streamlining or altogether eliminating certain tasks. This can make it easier for organizations to access their data and engage in real-time business reporting while minimizing instances of human error that could jeopardize the business.
With those resources freed up, organizations can focus on delivering value to their customers. They also can use APIs to differentiate themselves from their competitors via one or more specializations. APIs can help them address the needs of those specific verticals, thereby creating promising new business opportunities.
Why Is This Sometimes a Problem?
However, APIs can introduce complexity and security risks. According to research by Cloudentity, 97% of organizations have experienced delays when releasing new applications and services due to API security concerns. Approximately half (44%) clarified those worries as serious concerns involving the exposure of private information and other data.
Sometimes, organizations focus more on keeping up with a fast application delivery time than on securing their APIs. This lack of balance tends to manifest as an inadequate budget for API security efforts, including security awareness training for developers and other stakeholders. Acknowledging those findings, it’s not surprising that just 2% of survey respondents were confident in their organization’s ability to secure its APIs.
Opportunities for Change
Many organizations are looking to make a change with their API security. In the aforementioned survey by Cloudentity, 93% of respondents indicated that they were planning to increase their budgets and resources for API security. More than half (64%) wrote that their budgets could increase by as much as 15% going forward.
These findings raise an important question. Where should organizations looking to maximize their API security direct their attention? Provided below are four tips.
Tip #1: Adopt an API Management Strategy
First, organizations need to adopt an API management strategy. They should endeavor to make this strategy as proactive as possible by providing clear processes for API design, implementation and management that align with the business’s requirements, noted Help Net Security. As part of their strategy, organizations should also document ways by which security teams can identify, prioritize and remediate vulnerabilities involving their APIs – especially the top 10 API weaknesses identified by the Open Web Application Security Project (OWASP). All other security elements flow from this foundation of an API management strategy, so it’s important to get it right and revise it as the business evolves.
Tip #2: Find All of Their APIs
With an API management strategy in place, organizations can go about discovering all their APIs wherever they reside. Yet, they need to be strategic about how they approach this step. For instance, IT doesn’t always know about all the APIs in use across the organization, so relying on manual discovery processes could leave critical blind spots.
Salt Security agrees with this assessment. “API documentation, while a best practice in itself, might not be done consistently,” it explained in a blog post. “Automated discovery of API endpoints, parameters, and data types is crucial for all organizations.”
With this in mind, organizations need to discover APIs within all their environments, not just production; include API dependencies; and tag/label their APIs as a DevOps best practice.
Tip #3: Raise Awareness of API Security Among Employees
Organizations can’t expect everyone to follow API security practices if their workforce doesn’t understand the threats involved. To remedy this, they can use security awareness training to educate their employees about API-based attacks and how they threaten the business. These efforts will help carry security across the software design, build and deployment phases, wrote Forbes. It will also complement DevSecOps initiatives designed to promote collaboration between app development, security and operations teams.
Tip #4: Reach for Zero Trust
Finally, organizations should consider zero trust as their goal. A zero-trust approach can help security teams continually authenticate the service, requestor and client, thus minimizing threats of API attacks. Teams can also use zero trust for auditing those requests for signs of compromise, indicators which they can then act upon to limit the scope of an incident.