FTC Settlement Spotlights Security of APIs Proliferating Across the Internet

Jim Shreve and Joel Lutz, attorneys with Troutman Pepper, were quoted in the March 5, 2025 Cybersecurity Law Report article, “FTC Settlement Spotlights Security of APIs Proliferating Across the Internet.”

“While addressing risks from no-longer-supported software is a common element of many security standards, the requirements in this settlement to disconnect hardware using the unsupported software, or develop a mitigation plan if disconnection is infeasible, is new for an FTC consent order,” Troutman Pepper Locke partner James Shreve told the Cybersecurity Law Report.

…

A quarter of companies had their number of APIs increase 100% or more over the past year, according to the Salt Survey Report. At 55% of companies, the API inventory grew by at least 50%. The number of APIs companies are using has jumped because of expanding AI use, Shreve observed.

…

The good news, Troutman Pepper Locke counsel Joel Lutz reported, is that “more technical solutions are available today to help identify APIs and inventory them, which is the foundational step to ensuring they are secure.”

…

Initial priorities to establish comprehensive API governance go beyond inventorying to “validating the configuration of all those APIs found, and monitoring for newly implemented APIs,” Lutz said.

“The challenge in catching up if a company is behind on API governance,” Lutz noted, “is usually around understanding exactly what the API is doing, keeping documentation accurate and up to date, and ensuring existing APIs are properly configured in accordance with documentation and security standards.” Inadequate focus on documentation was a concern for 13% of Salt’s respondents.

…

For the most part, APIs do not pose unique security risks. Thus, “security controls employed in many other contexts help in securing APIs as well,” noted Shreve.