An Application Programming Interface (API) is a software intermediary that allows applications to communicate with one another. APIs provide routines, protocols, and tools for developers to facilitate and accelerate the creation of software applications. They enable applications to easily access and share data. APIs connect Web-based applications and other services or platforms, such as social networks, games, data repositories, and devices. Internet of Things (IoT) applications and devices also use APIs to access and collect data as well as control other devices.
Applications are the engine that drives enterprise growth and APIs are core to accelerating this process. Using APIs lowers the barrier to entry for inexperienced developers, and at the same time increases efficiency for more experienced people. 78 percent of IT decision-makers say the adoption of APIs is important for their company to stay competitive in the market. As developers continue to shift to an API economy, cybercriminals have taken notice and intensified efforts to find new attack vectors and exploits.
As decision-makers in organizations attach greater priority to accelerated, inexpensive application development, the industry is adopting API use at unprecedented rates. At the same time, organizations must employ corresponding security functions and processes to ensure they can protect their data. Today, at least 90 percent of developers using APIs in cloud-native web application development and organizations are reviewing their API security strategies to ensure that security moves in lockstep with innovation.
Overall, decision-makers realize using APIs improves internal data quality, enhances customer visibility and trust, helps create a better product for customers, and streamlines internal processes. To gain these benefits, organizations must overcome the challenges of competing or evolving priorities across teams and find a balance as they expand the adoption of APIs and the security that protects their assets. This means building a holistic API security strategy that optimizes overall productivity and ensures developers have the skills and tools required to manage API security.
As with any data-centric security strategy, having continuous visibility into APIs reduces the complexity of securing them. An API security technology can reduce complexity around securing APIs, ease compliance, and enhance the ability to classify API-transferred data, ensuring all key modes of visibility. To overcome security concerns relating to expanding the attack surface with more channels for data, the right security solution can assuage concerns and enable APIs to keep delivering on investments.
In the report Improve API Performance With A Sound API Security Strategy, Forrester Research noted that “decision-makers are aware of how important API adoption is, but they struggle with the necessary updates to their security postures in scaling APIs with business growth.”
API security is a matter of scale
Expanding the adoption of new technologies to meet customer needs without sacrificing security is a clear priority for IT decision-makers, according to the Forrester report. The principal challenge for them lies in scaling security investments alongside the new technology. Seventy percent of all respondents in the Forrester report say that the lack of API security has kept them from increasing API adoption. Decision-makers know that adopting more APIs for reasons relating to improving connections and interfaces with customer applications and internal process optimization is key to business success, but their security fears are getting in the way. In order to secure the future success of their business, decision-makers must scale security alongside API adoption.
The departmental visibility API Security disconnect
Forrester reports a clear disconnect between decision-makers from different departments on how many public APIs their company has published. Twenty-nine percent of LOB respondents believe their company has between 25 to 99 public APIs; 26 percent of IT/ops/compliance respondents believe their company has between 1 to 24; while 32 percent of security and application developers believe their company has 25 to 99 public APIs. This indicates a lack of alignment in understanding what APIs they possess, which signifies a lack of knowledge of what is in those APIs and how they are being used. In many instances, organizations’ security teams lack knowledge of their own company’s data. The main challenges security teams face when it comes to their company’s APIs are related to knowing what data they collect, where it is stored, and who has or should have access to it.
Developers: “We could use some help with API security”
While the Forrester report lays bare the need to scale up API security to meet the complexities of digital transformation and cites departmental disconnect as an issue that may contribute to the problem, there is a consensus that collaborating with third-party resources to address the knowledge gap could be part of the solution. Developers for the most part understand that they cannot move forward in the most effective way if their organizations cannot implement and maintain the security of their growing number of APIs. Sixty-three percent of them report difficulty with assessing and classifying sensitive data shared across APIs. When you factor in the use of third-party APIs, this challenge becomes even more serious.
What the industry wants from API security tools
Security tools help classify data and understand the API footprint. According to Forrester, decision-makers are mainly focused on: 1) scaling security for API adoption (78 percent) and 2) securing APIs like any other internet-connected app (70 percent). However, they need to see less complexity in their security tools. Of the benefits they have seen (or would expect to see) from adopting an API security technology, decision-makers lead with the ability to classify data transferred over APIs (71 percent), the ability to easily meet regulatory and compliance requirements around APIs (66 percent), and the ability to reduce complexities around securing API usage (65 percent). Decision-makers are looking to API security technologies to not only keep their company’s data safe within their APIs but to also reduce the complexity around API management. With the development team’s lack of knowledge on APIs, and with the safety of data and customer application interface at stake, decision-makers are ready for tools that provide robust security, improved visibility (i.e., who has access to it), and reduced complexity around securing their APIs.
To read all the findings of the Forrester Research report Improve API Performance With A Sound API Security Strategy, click here.
Try Imperva for Free
Protect your business for 30 days on Imperva.