Why Your Company Needs an API Security Champion for 2024
February 14, 2024

Shay Levi
Noname Security

Everyone can agree that application programming interface (API) security is important, but whose responsibility is it? Many organizations don't have a clear answer — and this presents a major opportunity for developers to step up into an important new role: API champion.

Given their hands-on experience with APIs, development teams understand the integrations better than anyone. Becoming their company's API champion empowers developers to assess their current security posture, identify potential vulnerabilities, and determine what to do in the event of an incident.

All too often, development teams are left scrambling in the event of a breach. A 2023 report from Noname Security found that more than half of developers (53%) spend between 26-50% of their time on API refactoring and remediation; 14% say that takes up 51-75% of their workday. With cybersecurity issues on the rise, development teams are spending entirely too much time fixing issues that could have been prevented.

Why API Security Must Remain a Priority in 2024

As most developers are aware, APIs allow software components to interact with each other, whether it's within the same application, on the same device, or over a shared network. Currently, they account for more than 80% of current internet traffic, according to the 2023 report. That's because companies have an average of 15,564 APIs in use at any given time, according to 451 Research. This balloons to 25,592 APIs for enterprises with more than 10,000 employees.

And because they're so pervasive, APIs can also act as both a gateway and a getaway car for hackers to steal private information, including critical business data.

As attack surfaces continue to broaden, it comes as no surprise that API security incidents are on the rise, with 78% of businesses reporting an issue in 2023, up from 76% the year before, according to the study. Organizations that collect more personally identifiable information (PII) from their customers, including financial services firms, retail and e-commerce companies, and healthcare organizations, were hit especially hard, the data shows.

Deep pockets don't seem to change a company's fate against sophisticated hackers either, as companies with robust cybersecurity programs, including X (formerly Twitter) and Dropbox, have all fallen victim to major API breaches over the past few years. These incidents often have a major impact on customer satisfaction and ultimately, a company's bottom line.

Ensuring data security is an important, albeit overwhelming task, so it's important to identify an API champion's responsibilities.

What Exactly Does an API Security Champion Do?

To safeguard a company's data, an API security champion must have a clear understanding of how APIs are being used and where. They should also:

1. Make sure APIs are secure before they're deployed

The vast majority of API defects — more than 85% — are created in development, usually during the initial coding phase, the study found. Remediating a problem before it's shipped is easier and more cost effective, so it's critical to ensure APIs are secure from the start.

2. Test APIs continuously

Regular testing will be critical for eliminating vulnerabilities, especially as attack surfaces continue to broaden. Fortunately, modern tools have emerged that make testing APIs fast, efficient, and scalable without putting more stress on developers.

3. Gain visibility into their company's API footprint

The majority of respondents in the study reported a lack of visibility into their API footprint. While 72% of US businesses surveyed said they have a full inventory of APIs, just 40% knew which ones returned sensitive data. In addition, 26% claimed to have a partial list, but of those, only 24% said they knew which ones to prioritize. Without that information, it becomes impossible to accurately assess risk and exposure levels.

The most effective way to change this is by leveraging tools that create a working catalog of a business' APIs. Knowing where sensitive data is traversing APIs has the added benefit of helping organizations stay compliant with regulations like Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA).

Developers have a complicated job, and API security breaches only make it tougher. By investing in protecting API security from the start, teams can more effectively secure their attack surfaces, protect data, and get back to the work that really matters: core development.

Shay Levi is CTO and Co-Founder of Noname Security
Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1