Another problem that I found concerned Web services accounts that were tied to a person. Web services accounts should be tied to an independent system account, not a person. People leave, and when they do, their accounts should be deleted. You've got a problem if the deletion of one of those accounts affects the API integration.
My review did turn up a bright spot: Encryption in transit isn't an issue for us, since we force all connections over HTTPS, also called SSL Everywhere.
By the way, if you're interested in assessing the security of API or Web services calls in your company, there are many resources on the Internet that provide a wealth of information. My favorite is one published by the Open Web Application Security Project (OWASP). I also recommend hiring a trusted third party to review any developed code and architecture to ensure that you're using this technology in a secure manner, since there's potential for big trouble if you're not.
Sign up for CIO Asia eNewsletters.