An API, or application programming interface, is a set of tools and protocols that allow software applications to interact with each other. APIs enable software developers to access the functionality of another application without having to understand the underlying code. This makes it possible to create new applications that build on the functionality of existing ones. For example, the Google Maps API allows developers to add mapping capabilities to their own websites and apps. The Twitter API enables developers to integrate Twitter content into their own applications. And the Amazon API allows third-party sellers to list their products on Amazon.com. By providing APIs, these companies make it possible for others to extend and enhance their services in ways that they may never have thought of themselves. It is imperative to make sure API security has been considered when implementing these tools.
A security firm Mercator worked with on a project scanned a company’s sites for API vulnerabilities. The scan discovered several API portals, and IT was unaware these portals existed. One of them put critical data at risk, and threatened API security. According to the security company, this is not an uncommon experience.
This article indicates that many APIs are unmonitored and ungoverned, which is impossible for me to comprehend. I get that a mistake might be made, but leaving any internet port wide open is an act of insanity:
“The transformation has been staggering in many regards. Connecting core business systems to external systems has exposed what had been typically tightly guarded within company networks through access, segmentation and layers of security protection. Now, business logic and processes are both visible and available for interaction. Through the conduit of business APIs, data can be scraped or exfiltrated, orders can be placed or changed, discounts applied, shipping destinations altered, funds transferred, payments sent, purchases made and a myriad of other operations arranged or changed. Since every business is unique, the possibility for abuse is only limited by the information transferred on the API.
Of course, the implications are not lost on the more sophisticated cybercriminals. Attackers have demonstrated the tendency to seek the greatest reward for the least effort. Data breaches still have value, but engaging directly in the theft of more valuable assets, including money, has much greater attractiveness.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group