Open API Survey Report

By the Open API CSA Working Group

Cloud Security Alliance completed its first-ever Open API Survey Report, in an effort to see exactly where the industry stood on the knowledge surrounding Open APIs as well as how business professionals and consumers were utilizing them day to day. The key traits taken from the survey will be noted within this blog post to give the reader an idea of our current state of Open API knowledge and function. Moving forward, source code for security and open platforms has become increasingly shareable. As source code becomes more shareable between companies, it is giving way to new and robust manners which can be leveraged to improve upon what we already know.

The survey was meant to be used as a means to see:

• What the outlook and future of Open API’s are
• The gaps we can notice from people actually using them
• How they can become more useful for better security posture and development
• How Open APIs can be used for emerging technologies.

Interoperability is key within this survey. Businesses like the idea of using Open-API’s because of their ability to work with systems already in place, and the ability to edit them to specific needs of a business. However, with this comes a lack of common education on where to go for implementing them, or how their security functions work internally from the original source.

Unfolding within this survey, however, was one thing that stood out the most among all of the questions and answers. Was anyone aware of best practices guide concerning Open APIs? The number was quite staggering, with 84% saying no. This immediately raises a red flag. The one thing we are using the most within development lifecycles and to build new products, doesn’t have a well-known guidance supporting its usage and implementation into business models.

As we move towards a future of open banking and other items that will be played at the hand of Open APIs, it is noticed that 44.74% of respondents to this survey have already implemented some form of an Open API.

The Open API platforms businesses are currently using or planning to use in the future were Key management/organization with 28%, and Open API Universal banking (PSD2) coming in a very close second. With the growth of online banking, however, this number for Universal Banking is more than likely going to grow the most in the coming years compared to other areas of specific interest.

Building off of this question, we next asked if SaaS apps have proper security guarding them. 57% of the responses answered No. Of those 57% who answered No, 40% answered that they already have implemented Open API within their own workspace. Being already familiar with the existence of an Open API, we can confidently assume that security posture with SaaS apps are lacking security features. Because of the free availability of these programs, this can be looked at as no single guideline for secure functions being implemented through each use of a specific API. Lack of guideline and security input from development teams is a vital part of this missing function.

A staggering 94% responded “Yes” that security vendors should, in fact, be maintaining the Open-API’s for SaaS vendors in an effort to push real-time updates. Half of that group is within the category of also already having a strong implementation of currently used open- API’s, which also has suggested that the biggest benefit to their organization is interoperability.

Something to note from this data set specifically, is that of all of the “yes” answers above are presently split down the middle that the future of Open API’s in speaking to security will lie more dominantly in the IoT devices and B2C/AI categories.

According to the study:

• 71% - Lack of knowledge on how to get started with Open API framework
• 89% - Not enough information on securing Open API’s
• 73% - Not enough information on how to implement Open API’s or where to look for a checklist for security posture.

These all flow together to form a larger picture --> “How do we do this and where do we go?” A lack of guidance and policy surrounding these items is creating confusion beyond just implementing different open API's.

We had our respondents rate the best to the worst for organizations to implement security across SaaS vendors which included forward and reverse proxies, webhook integration, and other. As you can see from the image above, forward and reverse proxy scored 22% within the category as being the worst choice (1). Looking at the rows from 1 to 5, webhooks framework yielded the highest positive average ratio for the best choice for implementing security across SaaS vendors.

It is important to note that webhook integration was the strongest choice for security posture and integration into a business environment. Though there were only 13% saying that they strongly agree, 52% were able to agree that a webhook integration is critical to the expansion of an existing framework. Of that group of 52%, more than 60% of their organizations either are working with universal banking initiatives or key management.

There is much left to be developed within the realm of securing Open APIs and giving the reigns to who should actually be responsible for such a job. With Universal Banking becoming dominant internationally and moving into North America, the focus needs to shift to the idea of an interoperable and flexible framework that can give enterprises a knowledge base for building their programming architecture outwards.

Interested in learning more about Open APIs? Visit the working group page here.