DEVOPSdigest

Everyone can agree that application programming interface (API) security is important, but whose responsibility is it? Many organizations don't have a clear answer — and this presents a major opportunity for developers to step up into an important new role: API champion.

Given their hands-on experience with APIs, development teams understand the integrations better than anyone. Becoming their company's API champion empowers developers to assess their current security posture, identify potential vulnerabilities, and determine what to do in the event of an incident.

All too often, development teams are left scrambling in the event of a breach. A 2023 report from Noname Security found that more than half of developers (53%) spend between 26-50% of their time on API refactoring and remediation; 14% say that takes up 51-75% of their workday. With cybersecurity issues on the rise, development teams are spending entirely too much time fixing issues that could have been prevented.

Why API Security Must Remain a Priority in 2024

As most developers are aware, APIs allow software components to interact with each other, whether it's within the same application, on the same device, or over a shared network. Currently, they account for more than 80% of current internet traffic, according to the 2023 report. That's because companies have an average of 15,564 APIs in use at any given time, according to 451 Research. This balloons to 25,592 APIs for enterprises with more than 10,000 employees.

And because they're so pervasive, APIs can also act as both a gateway and a getaway car for hackers to steal private information, including critical business data.

As attack surfaces continue to broaden, it comes as no surprise that API security incidents are on the rise, with 78% of businesses reporting an issue in 2023, up from 76% the year before, according to the study. Organizations that collect more personally identifiable information (PII) from their customers, including financial services firms, retail and e-commerce companies, and healthcare organizations, were hit especially hard, the data shows.

Deep pockets don't seem to change a company's fate against sophisticated hackers either, as companies with robust cybersecurity programs, including X (formerly Twitter) and Dropbox, have all fallen victim to major API breaches over the past few years. These incidents often have a major impact on customer satisfaction and ultimately, a company's bottom line.

Ensuring data security is an important, albeit overwhelming task, so it's important to identify an API champion's responsibilities.

What Exactly Does an API Security Champion Do?

To safeguard a company's data, an API security champion must have a clear understanding of how APIs are being used and where. They should also:

1. Make sure APIs are secure before they're deployed

The vast majority of API defects — more than 85% — are created in development, usually during the initial coding phase, the study found. Remediating a problem before it's shipped is easier and more cost effective, so it's critical to ensure APIs are secure from the start.

2. Test APIs continuously

Regular testing will be critical for eliminating vulnerabilities, especially as attack surfaces continue to broaden. Fortunately, modern tools have emerged that make testing APIs fast, efficient, and scalable without putting more stress on developers.

3. Gain visibility into their company's API footprint

The majority of respondents in the study reported a lack of visibility into their API footprint. While 72% of US businesses surveyed said they have a full inventory of APIs, just 40% knew which ones returned sensitive data. In addition, 26% claimed to have a partial list, but of those, only 24% said they knew which ones to prioritize. Without that information, it becomes impossible to accurately assess risk and exposure levels.

The most effective way to change this is by leveraging tools that create a working catalog of a business' APIs. Knowing where sensitive data is traversing APIs has the added benefit of helping organizations stay compliant with regulations like Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA).

Developers have a complicated job, and API security breaches only make it tougher. By investing in protecting API security from the start, teams can more effectively secure their attack surfaces, protect data, and get back to the work that really matters: core development.