There are a lot of insecure APIs in the industry, especially custom point-to-point integrations.

If an API security specification is older than a year or so then it most likely doesn’t follow the latest best practices. Just like web security, API security is a constantly evolving space, with input both from practice and academic research. OWASP has launched the API Security Top 10 project to highlight some of the vulnerabilities found in insecure API implementations. Your data can be encrypted at rest and in transit and without API authentication, it can still be exposed to anyone. In other words, the threats against which encryption and proper API authentication/authorization protect are very different and both have to be covered in your design and testing

Back to Main