The API economy continues to boom – as aviation API hub goes live
Security testing remains exceptionally low however...
The API economy continues to expand rapidly, new research revealed this week, with approximately 70% of respondents to a survey expecting to use more APIs in 2023 than last year – and data showing an increase in the usage of all types of APIs; the majority used internally but with increasing numbers also partner-facing.
APIs, or application programming interfaces, are a software intermediary that allows two applications to talk to each other; they function as a door or connective tissue between applications and indeed often organisations to share data. An API-led connectivity approach to enterprise integration can streamline how enterprises interact with customers and remove bottlenecks around point-to-point or enterprise service bus (ESB) integrations.
State of APIs: More GraphQL, more Kafka
The State of APIs 2022 report from Rapid came days after the company – which maintains the world’s largest API hub with over four million developers accessing more than 40,000 APIs via – announced the launch of a unique aviation API hub with IATA (International Air Transport Association) for its 290 airline industry members.
Muhammad Albakri, SVP, Financial Settlement and Distribution Services at IATA said: “APIs are broadly used in the travel industry, from providing offers to customers to baggage tracking to flight status notifications.
He added in a canned statement: “The true value of this partnership stems from the ability to successfully discover APIs, facilitate connectivity and help build trusted relationships between API providers and API consumers so that they may quickly and efficiently bring new players and applications to the market.”
IATA’s members account for 83% of all air traffic and as Rapid’s Field CTO Alex Walling told The Stack: “ What they're doing is essentially creating what I'll call standards for the API's across all the different airlines. So when you look at a United API, it'll hopefully through IATA look and feel and function similarly to a Lufthansa and Swiss airlines, and an Emirates API. [This] level of consistency and quality across these API's… will really help drive the industry forward. You're setting up the airline industry to be a more connected digital industry.”
See also: Cracking the code on high-scale data pipelines
He added on a call: “A majority of developers and companies are still going to be primarily using restful API's. Hopefully, most of them have gotten off of SOAP (we do support SOAP)… we do see some use cases for when there's a large data set and lots of queries being made against APIs [that] GraphQL is going to be a really valuable use case for the airline industry. We also see async, streaming and event API's, things like Kafka and GRPC kind of being the next wave, especially in the airline industry. I don't see many airlines using it today…”
Rapid found that 62.6% of developers reported relying on APIs more in 2022 than they did in 2021. Additionally, 69.2% expect to rely on APIs even more in 2023. Industries including financial services, tech, telecommunications, and healthcare reported monetising APIs at an above-average rate, Rapid found.
Examples of massive API growth in financial services are not hard to come by: British bank Natwest, for example, has moved from zero to 900 million API calls per month within just a few years, Jonathan Haggarty, Natwest’s Head of “Bank of APIs” Technology said, adding that the bank now connects to 270 companies. (He told delegates at a MongoDB event on November 15 : “They’re quite big numbers – in that they were zero a few years ago – but they’re also quite small numbers, in that we expect 10X growth in coming years.”)
Citi’s Technology and Operations lead Stuart Riley meanwhile said at an investor day that the bank is now serving around eight billion API calls across 300 APIs each year. Examples across other verticals abound.
Perhaps somewhat troublingly, the Rapid State of APIs report found that just 4% of developers test APIs for security. Whilst this may be because they are confident a larger security function is running testing, it does once again suggest that a DevSecOps approach remains less widespread than the ubiquity of the term would suggest and comes in the wake of a series of data breaches caused by insecure APIs, including at T-Mobile.
As Vikas Anand, Director of Product, Business Application Platform, Google Cloud, wrote earlier this month: "As a gateway to a wealth of information, APIs have also quickly become the primary attack vector in security incidents. When we surveyed 500 technology leaders, we learned that more than 50% of organizations experienced an API security incident in the last 12 months. Adding to the increasing magnitude of attacks, there are an increasing number of vectors for potential API security incidents like misconfigurations, outdated APIs/data/components, and bots/spam/abuse. These security issues aren’t just in production APIs, but at every stage in the API lifecycle."
He added: "Notably, we found that 67% of the issues are discovered during testing as part of the release management process. This trend ushers in the need for forward-thinking organizations to 'shift left with security — moving controls earlier into the production workflow — by bringing security teams and API teams closer."