HomeOperationsSecurityTime to Rein in API Sprawl

Time to Rein in API Sprawl

Application programming interfaces (APIs) are at the heart of any digital business transformation but as organizations embrace cloud-native computing it’s quickly becoming apparent there is a much greater need for a centralized approach to API management.

A cloud-native computing application is made up of multiple microservices that each have their own API. Managing APIs was challenging enough in the monolithic era of application development but as more cloud-native applications are built and deployed the number of APIs that are being employed has exponentially increased.

A survey of nearly 1,000 IT leaders, architects, and developers conducted by Axway finds more than two-thirds are already concerned about API sprawl. As a result, more than half (52%) have increased budget dollars allocated to APIs in 2022. However, only just over a quarter (26%) have an enterprise-wide strategy in place for APIs.

More troubling still, many of those APIs are not especially secure. A survey of more than 250 security, application and DevOps executives and professionals published today by Salt Security found 95% of respondents experienced a security incident involving application programming interfaces (APIs) in the last 12 months, with 62% reporting they slowed down the rollout of an application because of API security concerns.

Similarly, a survey 37,000 developers and API professionals conducted by Postman, a provider of an API management platform, finds 20% are responding to API security incidents or breaches at least once a month at their organizations. Zombie APIs t have been exposed but subsequently abandoned by developers can be especially problematic because they provide cybercriminals with a poorly defended endpoint through which they can exfiltrate data.

Overall, the same survey finds more than half of organizations (51%) spend more than half of their development effort on APIs. A separate survey of 1,500 development, testing, and software delivery lifecycle professionals conducted by SmartBear, a provider of tools for building APIs, finds half of respondents spending more than 70% of their week testing APIs.

API lifecycle management is emerging as an IT discipline focused on streamlining the building, testing, securing and deployment of APIs. Best practices include API monitoring, design reviews, security analysis and style guides. The challenge isn’t so much acquiring the tools and platforms required to implement these best practices as much as it is changing the internal culture of the teams that build and deploy APIs. Too often the building and deployment of an API is an afterthought. An API-first approach with the context of a larger DevOps workflow assumes the design and development comes before the implementation. After the API has been developed, the development team uses it to build the rest of the application.

The goal is to make sure the API is a core element of the application versus something that was added later by a different set of developers that didn’t really understand how the rest of the application behaves. The latter approach also tends to lead to bottlenecks being created that can adversely impact performance and, in some cases, inadvertently create a single point of failure.
It’s not always clear within organizations who should be responsible for APIs. Developers may build an API but the ongoing maintenance of an API, including cybersecurity, usually falls to a DevOps team. The challenge is making sure an API doesn’t break as the pace at which updates to an application are made continues to accelerate.

Each organization, depending on the number of APIs being employed, will need to determine for itself how best to manage them but the one thing that is certain is there will be many more of them to manage in the months and years ahead. As such, whatever approach being employed to manage APIs today will likely need to soon be revisited.

NEWSLETTER

Receive our top stories directly in your inbox!

Sign up for our Newsletters

spot_img
spot_img

LET'S CONNECT