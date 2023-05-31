Most applications built today leverage Application Programming Interfaces (APIs), code that makes it possible for digital devices, applications, and servers to communicate and share data. This code, or collection of communication protocols and subroutines, simplifies that communication, or data sharing. The use of APIs is growing exponentially, year over year, and with the growth of cloud computing, cloud APIs have become the essential building blocks for developing applications in the cloud using today\u2019s agile development practices.\n\nAPIs enable organizations to bring innovative applications and functionality to customers at an increasingly fast pace and also serve as applications for provisioning cloud platforms, hardware, and software, acting as service gateways to enable indirect and direct cloud services. While the growing use of APIs increases seamless integration and improves customer experiences, a new set of risks emerges.\n\nIt is important for organizations to understand the risks with the use of APIs and prepare to address those risks. Companies at the start of their API security journey should begin by establishing an inventory of APIs in the environment, including the functionality they perform, languages they use, authentication and data security requirements they have, as well as the primary owners\/developers of those APIs. Once the inventory is complete, an organization can move on to threat modeling to understand the threats to its APIs. This should include a strong understanding of data flows and trust boundaries. The API code should then be subject to manual and automated testing to identify vulnerabilities and misconfigurations. To help address the new risk landscape, consider the security risks associated with the use of APIs, such as:\n\nOverall, adhering to security best practices and managing APIs effectively can help mitigate many of the security risks discussed above. Protiviti recommends integrating API security into an organization\u2019s broader application security program. Several best practices for securing APIs include:\n\nGetting started\n\nWhile there are steps every organization can take to secure their APIs, the journey to building a robust security and privacy program is never over, so continuous monitoring and re-evaluation of best practices are vital.\n\nA mature application security program should incorporate API security into its day-to-day activities. For others, this may be a larger effort, but the risks associated with the use of APIs will only continue to grow with their increased adoption. Regardless of where each organization is in its API security journey, Protiviti is ready to assist with building and maintaining an API security program from the ground up, or to assist in maturing an existing application security program to include securing APIs. Our security professionals have extensive experience in API development, and we understand how to securely meet any organization\u2019s growing API needs.\n\nRead the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.\n\nTo learn more about our security consulting services, contact us.\n\nConnect with the Author\n\nKeith ZelinskiManaging Director, Technology Consulting