KuppingerCole Report
Whitepaper
By Alexei Balaganski

The Dark Side of the API Economy

Application Programming Interfaces (API) have become a crucial factor in delivering operational efficiency, scalability, and profitability for most businesses. Nowadays, everything is API-enabled: corporate data is the product and APIs are the logistics of delivering it to customers and partners. Unfortunately, many organizations still lack competence in the field of API security and tend to downplay API-related risks. Many are also overconfident in the capabilities of their existing tools. This paper aims to dispel several common API myths and provide recommendations on designing a comprehensive and future-proof API security strategy.

1 Introduction

APIs are fascinating. No, really! And one does not have to be a developer or an IT expert to appreciate the impressive transformation they have gone t ...

This massive and ever-increasing growth clearly indicates that APIs are no longer just “an IT thing” – they have a very tangible impact on nearl ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • In the last decade, APIs have evolved from a purely technical, developer-centric concept towards becoming a massive enabler for new business models, ...
Login Free 30-day Select Access Get full Access

3 The Dark Side of the API Economy

Unfortunately, relying on lightweight and largely ad hoc REST protocols to publish or consume APIs as quickly and easily as possible means that securi ...

Login Free 30-day Select Access Get full Access

3.1 Instagram Exposed Celebrities' Contact Details

In August 2017, the popular social media platform Instagram (owned by Facebook) revealed that an unknown hacker obtained unlawful access to a number o ...

Login Free 30-day Select Access Get full Access

3.2 T-Mobile Leaked Sensitive Data of 2.3 Million Customer

In August of 2018, T-Mobile, an American mobile communications provider and a subsidiary of Germany’s Deutsche Telekom, was hit by a large-scale dat ...

Login Free 30-day Select Access Get full Access

3.3 Access Token Vulnerability Allowed Facebook Profile Takeover

In late September 2018, Facebook announced that over 50 million user accounts were affected by a security glitch that potentially allowed attackers to ...

Login Free 30-day Select Access Get full Access

3.4 US Postal Service Exposed Data of Over 60 Million Users

In November 2018, an independent security researcher publicly revealed a massive security vulnerability on the USPS website, which he initially discov ...

Login Free 30-day Select Access Get full Access

4 What Went Wrong?

As the examples from the previous chapter demonstrate, even the largest enterprises, with massive IT budgets and large teams of security experts, stil ...

Login Free 30-day Select Access Get full Access

4.1 The Human Factor

Perhaps the biggest challenge to API security (or any other field of information security indeed) is the inertia of human thinking. Even though APIs h ...

Login Free 30-day Select Access Get full Access

4.2 Common API Myths

Myth #1: APIs are Technology Concept, Unrelated to the Business

Perhaps the biggest myth about APIs is that they are still just a purely technologic ...

API security should be seen as a continuous process that covers every stage of the API lifecycle - from its conceptual design (even before any code ...

Login Free 30-day Select Access Get full Access

4.3 The Role of Identity

Another critical aspect that sometimes gets overlooked is the role of identity in APIs and its massive influence on their security. Even though the ea ...

Login Free 30-day Select Access Get full Access

4.4 The Scope of API security

Summarizing various points mentioned earlier, there can be only one sensible conclusion: API security is by no means easy, on the contrary – it is m ...

Unfortunately, many companies tend to stop a bit early in this process – after recognizing correctly that they have multiple such security tools alr ...

Login Free 30-day Select Access Get full Access

4.5 Artificial Intelligence to the Rescue

Artificial Intelligence and machine learning (AI/ML) are perhaps the hottest buzzwords nowadays in nearly every industry, and this is especially relev ...

Login Free 30-day Select Access Get full Access

5 Recommendations

Let’s summarize the key takeaways of this paper. What things do you need to consider before tackling the multidisciplinary field of API security to ...

Login Free 30-day Select Access Get full Access

5.1 Education is Key

Contrary to what some people still believe, APIs have already become a crucial factor of your business’s operational efficiency, scalability, and pr ...

Login Free 30-day Select Access Get full Access

5.2 Designing an API Strategy

The crucial difference between a well-designed comprehensive multi-layered API security infrastructure and just having a collection of security tools ...

Login Free 30-day Select Access Get full Access

5.3 Know What You're Protecting

The first step in any API strategy is knowing the full extent of the assets that need protection. Discovery of all APIs within the corporate IT infras ...

Login Free 30-day Select Access Get full Access

5.4 API Zero Trust

Identity is perhaps the most crucial context factor that defines the efficiency of modern cybersecurity solutions in any market segment. In a modern, ...

Login Free 30-day Select Access Get full Access

5.5 Automating API Security

Finally, one should consider the tremendous efforts security experts must go through to analyze a security incident based on numerous indicators of co ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top