Who Owns API Security?

Posted on by Richard Bird

APIs are essential in modern software development, connecting various applications for a unified digital experience. According to a Gitnux Market data report, around 86% of enterprises worldwide are using APIs to create business value. But their widespread use raises an important question: Who is responsible for API security?


Traceable’s recent State of API Security report highlights this concern, showing varied ownership across organizational roles:


According to the report, the CISO or CSO leads in 19% of cases, closely followed by the Head of Quality Assurance at 18%. The CIO or CTO is responsible in 16% of organizations, while Business Units (LOB) account for 14%. The Head of Software Development manages it in 10% of cases, and notably, 11% of organizations lack a specific role or department for API security.


The dispersed ownership of API security can be attributed to the evolving nature of digital infrastructures and the roles within organizations. Forrester Principal Analyst Sandy Carielli said in the Security Weekly Podcast, “The challenge with API-based applications is a matter of scale because you might be in an organization managing a couple of hundred apps, but you could be managing tens of thousands or hundreds of thousands of APIs.” As APIs have grown in prominence, different departments, each with its unique perspective on security, have staked a claim. Additionally, the lack of a standardized approach to API security means that organizations often adapt based on their specific needs, resources and understanding of the technology, leading to varied ownership structures.


In any case, ambiguity in API security ownership can create some challenges:


The intricate nature of API security demands clear ownership. In fact, earlier this year, the non-profit Open Web Application Security Project (OWASP) released its API Security Top 10 list highlighting the specific risks associated with APIs. Additionally, the ACSC and CISA issued a joint cybersecurity advisory in June, warning about IDOR attacks, one of the most common and costly forms of API breaches that can compromise the personal, financial, and health information of millions of users and consumers. Ambiguity in this realm isn't merely an administrative oversight; it's a direct gateway to heightened security vulnerabilities.


  1. Unpatched Vulnerabilities: APIs, like all software components, can have vulnerabilities. Regular security assessments and patching are essential. Without a clear owner, these vulnerabilities might remain unaddressed, offering attackers easy entry points.

  1. Inconsistent Security Policies: APIs need to adhere to specific security policies, from authentication protocols to data encryption standards. Ambiguous ownership can lead to inconsistent or outdated security policies, making some APIs more vulnerable than others.

  1. Lack of Monitoring and Anomaly Detection: Continuous monitoring of API traffic is crucial to detect and respond to suspicious activities. Without clear ownership, there might be gaps in monitoring, or anomalies might not be acted upon promptly, giving attackers more time to exploit the system.

  1. Misconfigured Permissions: APIs often require specific permissions to access data or other services. Ambiguous ownership can lead to misconfigurations, where APIs might have broader access than necessary, increasing the potential damage of a breach.

  1. Delayed Response to Threats: In the world of API security, speed is of the essence. When a threat is detected, immediate action can mitigate potential damage. Without a designated owner for API security, response times can lag, allowing breaches to escalate.

  1. Inadequate Integration Security: APIs often serve as integration points between different systems. Without clear ownership, the security of these integrations can be overlooked, leading to potential data leaks or unauthorized access between systems.

  1. Overlooked Legacy APIs: As systems evolve, older APIs might be left in place for backward compatibility or other reasons. Without a clear owner, these legacy APIs, which might not adhere to current security standards, can be overlooked, becoming weak links in the security chain.

API security stands as a frontline defense for organizations. Ambiguous ownership in this critical area doesn't just risk breaches; it jeopardizes the very trust that users and partners place in an organization's digital infrastructure.


How Definitive Ownership Elevates API Security and Drives Operational Excellence


API security plays a crucial role in mitigating potential risks. Clear ownership not only simplifies processes but also enhances the efficiency of security protocols, leading to a more stable and reliable digital environment.


  1. Strategic Precision: With a designated owner at the helm of API security, there's an opportunity to craft a bespoke security strategy tailored to the organization's unique needs and challenges. This focused approach ensures that security measures are not only robust but also aligned with the organization's broader objectives. It paves the way for APIs that are not just operational but fortified against evolving threats.

  1. Optimized Resource Utilization: Clear ownership provides a vantage point from which to view the entire landscape of API security. This bird's-eye view allows for the judicious allocation of resources, ensuring that every dollar invested yields maximum security. It eliminates redundancies and ensures that critical areas receive the attention they warrant, leading to more cost-effective and efficient security.

  1. Unwavering Accountability: When there's a clear custodian for API security, there's no ambiguity about who's accountable for successes and failures. This direct line of responsibility fosters a culture of proactivity. The designated owner, aware of their pivotal role, is more likely to stay abreast of the latest threats, ensuring that the organization's defenses are always a step ahead. Moreover, this clarity can expedite decision-making during critical moments, ensuring swift and effective responses to emerging threats.

  1. Enhanced Collaboration: A clear owner often acts as a nexus for collaboration. They can rally different departments around the common goal of API security, fostering cross-departmental collaboration. This synergistic approach ensures that security measures benefit from diverse expertise, leading to more holistic and comprehensive protection.

  1. Continuous Improvement: With a dedicated owner, there's an inherent drive to continuously elevate the standards of API security. Regular reviews, updates, and refinements become the norm, ensuring that the organization's API security posture evolves in tandem with the digital threat landscape.


The data underscores a pressing need for organizations to establish clear ownership and responsibility for API security. Such clarity not only mitigates risks but also instills confidence among stakeholders, partners, and customers. As the digital landscape continues to evolve, organizations that prioritize and enforce API security ownership will be better positioned to navigate challenges, protect their assets, and thrive in the digital age.

Richard Bird

CISO, Traceable

Cloud Security

zero day vulnerability exploit of vulnerability patch vulnerability & configuration management Patch Vulnerability / Configuration Management misconfiguration policy management incident response risk management risk & vulnerability assessment

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs