A GUIDE TO API SECURITY

We all know by now that APIs, application programming interfaces, make the world go around. More precisely, they let distinct modern applications communicate with each other. Mobile or web applications can access a backend where data is stored and processed. APIs can be public allowing applications from different companies to communicate or private, which is common, where internal applications integrate to meet business goals. The result? More robust, full-fledged applications, websites and mobile apps with broader functionality and more diverse data. For instance, rather than creating their own payment services from scratch, ride-sharing companies can add it via the APIs of payment companies. Another example are flight aggregator sites. In order to show us flight times, prices, destinations and everything else we need to know about a plane ticket, they connect via API calls to airline databases to pull the right data and display it to us in our aggregator search results page. The importance of APIs are growing, with more and more companies describing themselves as “API-first.” In some cases, a company’s actual product is an API with a business model centered on consuming it. For instance, if a company that provides weather data has made their API their product, other companies who want weather info will pay them a monthly fee for API access. In many other instances, given the expectation an application must interact with other applications, APIs are designed alongside or even before the code that delivers actual product functionality– not bolted on at the end of development. Companies devote time and effort to deliberately craft their API approach to consider how it can expose the right data, becoming foundational to revenue and business models. However, building perfect APIs is tough, because just like any piece of software, vulnerabilities will happen, leading to the security challenges we’ll discuss in this document. Suffice it to say, APIs are everywhere and will only gain momentum in the coming years–and they must be protected. For this reason, we’ll examine API attacks and aspects of defense-in-depth when thinking through organizational API security.