Who is Really Responsible for API Security?

As APIs play an increasingly important role in modern business, it seems that a lack of clarity over who is responsible for API security is leaving businesses and users at risk. In a recent post on IT Business Edge, Sue Marquette Poremba discussed a recent Ovum survey that may shed some light on a few contributing factors.

The study was conducted in partnership with Distil Networks, and it found that organizations aren’t putting enough emphasis on API security. This lack of consideration is highlighted by the Nissan LEAF API security failure earlier in the year, as well as the recent vulnerability exposed on Tinder.

Since API security isn’t seen as a major concern by many organizations, nobody seems to know who is responsible for it. The Ovum study found 53% of respondents believed the organization’s security team should take responsibility, with the other 47% naming the API development team as the responsible party. As a result of this split, nobody is taking responsibility for security.

“Exposing APIs to developers outside the company creates significant risk and APIs are becoming a growing target for cyber criminals. This study highlights an alarming lack of consistency and ownership in how API security is addressed.” Said Ovum’s senior analyst Rik Turner.

Since 83% of respondents admitted concern over API security, it is clear that something needs to be done, and applying true ownership may be a viable solution. However, as the application of APIs and the innovations built on them continue to expand, security risks will only grow, making a robust solution increasingly difficult to determine.

Be sure to read the next Security article: Researchers Identify Security Vulnerability Involving Swagger

Original Article

Unclear Sense of Ownership Hurts API Security