© Jonathan Nackstrand, AFP
The backlash that Experian, Peloton and Echelon are facing as a result of leaky APIs as well as the rise in funding for API security companies like Salt Security should serve as a sign to all companies that API security needs to be taken very seriously.
With Experian for example, a researcher put forward the finding credit scores of almost every U.S. adult were exposed through an API tool used by the Experian credit bureau. This apparently was left open on a lender site without even basic security protections.
With another example, at-home exercise giant Peloton and its closest rival Echelon were found to be not stripping user-uploaded profile photos of their metadata.
The importance of addressing APIs is a concern among the developer community, according to a recent RapidAPI survey, 61 percent of developers used more APIs in 2020 than in 2019, and 71 percent plan to use even more this year, but if they do not yet have a firm grasp on how to keep these new APIs secure, their company could be the next facing a crisis.
The survey finds:
- API adoption is on the rise across all industries. For example, developers have increased their usage of APIs and plan to utilize them in their coding projects even more in the upcoming year.
- Participation in the API economy is a key priority. Here, companies across all industries are prioritizing investments in the API economy.
- The adoption of new API technologies continues to accelerate. Although REST continues to be the most popular, there is interest in emerging technologies, including Serverless & FaaS, Websockets, and gRPC.
While many developers are adding security measures as a final step in the API building process, some experts believe that is simply not enough. An example of someone in this camp is Crispen Maung, Head of Information Security and Compliance at RapidAPI.
Maung tells Digital Journal that security needs to be baked in much earlier and should be considered across the entire API lifecycle.
Maung explains: “Organizations need a stronger API development methodology that has the same types of testing and QA processes as application code development. They need to have a full understanding of that development process and should maintain full control of API usage.”
In terms of the detail, Manug adds: “If an organization connects to a SaaS provider via an API, they also need to confirm that the connecting company has a mature due diligence process as well to ensure their data security and privacy obligations are met. This is especially important when sensitive data is being transferred between organizations.”