According to an Akamai report API queries account for 83% of all web traffic. The report is an interesting read indeed. It reveals a lack of knowledge and strategy around API security. Of those surveyed, 5% had no API security strategy, and 22% were in the planning stages for API security. It's no surprise, then, that 83% of them lacked confidence in the APIs they were using, and 8% had no confidence at all. Companies had not documented their APIs properly because their tools relied on human interaction.
How seriously does you organization take API security? Do you have a strategy in place?
We start by reviewing the specification/contract for any third party API. And this can involve the third party correcting their documentation! Aside from that we use an API gateway, so that controls are applied to all calls, and also Akamai.
What's the best way to document APIs? There are lots of tools out there. I like SwaggerHub and Redoc simply because it is OpenAPI complaint. Now when it comes to gateways I've seen a few and what matters is the "onboarding" process and making sure that security controls like IP filtering are actually applied.