A new survey on API security titled Global State of API Security Survey 2015, conducted by API management vendor Akana, was released today. This is the first survey conducted by Akana on API Security. The survey offers up a lot of interesting findings for those interested in IT security.
The survey was the result of questioning more than 250 security practitioners, including CSOs, CISOs, and security architects. The primary results of the survey show that the majority of respondents are taking steps to secure API access, but only a few have actually taken steps to ensure that sensitive data is being securely handled in the Apps that access the APIs.
More than 65% of the respondents reported that they do not have processes in place to ensure that the data that is being accessed by applications consuming APIs is managed securely. With mobile apps and IoTs increasingly being API consumers, enterprises face exposure to threats of unauthorized access to data once accessed through an API. Almost 60% of survey respondents indicated that they were not securing API consumers.
Interestingly — and appropriately — API security is as much an issue for the business as it is for IT, with 75 percent respondents indicating that API security was a CIO-level concern and 65 percent saying was an issue for business managers. As APIs are increasingly being adopted to drive digital initiatives, both business and IT see increasingly value in securing them.
Perhaps the most significant finding of the survey is that many businesses are not taking adequate measures to secure the API consumer. While attention is being paid to building controls and countermeasures into the API itself, many respondents appear to be neglecting a major point of vulnerability: the app that’s accessing that API. Almost 60 percent of respondents (see figure below) indicated that they did not have processes in place to check if the API consumer is handling the data and API securely.
Figure. Do you have processes in place to check if the API consumer is handling the d ata and API securely?
Indeed, mobile jumps out as a particular point of concern. Because mobile devices can be jail broken they can present a high-impact threat to APIs. However, 65 percent of respondents who were asked if they used mobile device management technology to protect API credentials to mitigate the risk of a jail broken device answered “Not Applicable.” I would imagine this will change with time… or we’ll see a lot more mobile breaches.
The Bottom Line
Arkana’s survey confirms that API security is still a nascent concern and it is still very early in the adoption lifecycle. The survey shows a wide range of responses to concerns about security and a diversity of security practices. It will be interesting to watch future editions of this survey if Arkana continues to publish it annually.
Visit the Arkana web site to download your own copy of the survey results.
JSON Scheme, DDoS, Message-Level security, Encryption were amongst the top API security threats.