While there isn’t anything approaching a full-blown crisis surrounding API security just yet, a new survey of security professionals indicates there is a rising concern.
Released at the Black Hat 2015 conference this week by Akana, a provider of API management software, the survey indicated 65 percent of 250 security practitioners admit they don’t have processes in place to make certain that the data being accessed by applications consuming their APIs is managed securely.
Sachin Agarwal, vice president of product marketing for Akana, said that while developers generally take steps to secure their APIs, they tend to be a little more cavalier about how the data they are sharing gets used by third parties. As a result, Agarwal said the survey found that senior IT executives and business executives tend to have higher levels of concern about API security.
For example, the survey found that 75 percent of respondents identified API security as a CIO-level concern, while 65 percent indicated it was also an issue for business managers inside their organization.
One indication that developers may not be applying enough thought to API security, says Agarwal, is that the study also found that 45 percent of the respondents said their organization does not rate limit access to their APIs. That’s significant, says Agarwal, because large spikes in data transfers via APIs are usually indicative of some type of hacking taking place. Though Apple never confirmed it, lack of rate-limiting allegedly played a key role in the exploitation of Apple's non-public API for its Find My iPhone service. Known as "The Fappening," the attack lead to the public and embarrassing disclosure of sensitive photos belonging to Jennifer Lawrence and other celebrities.
In terms of specific API security threats, the survey respondents rate JSON Schema, distributed denial of service (DDoS) attacks, and message-level security and encryption as the top threats to API security. Agarwal said part of the problem with API security is that not only are there too many organizations that don’t have API usage policies in place, many of them also assume that a Web firewall will protect them from hacking. In reality, hackers have become just as adept at using APIs as any other developer, says Agarwal. Worse yet, those hackers tend to have massive amounts of computing resources at their disposal.
Unfortunately, most organizations may not realize their data is being stolen for months — if ever. Developers, meanwhile, tend to view security as being the responsibility of IT operations teams. Those teams, however, generally have little exposure into how APIs are being used, much less how secure they are.
According to Agarwal, all it would take would be a few high profile attacks to shake the faith business leaders have today in an API economy that depends on trust to drive growth through data integration.