Why is API security always somebody else's problem?