August 7, 2018

The Security Risks of Open APIs

 APIs, or Application Programming Interfaces, are becoming increasingly popular as companies and organizations adopt the web as their primary technology network to connect their developers and customers. API Academy defines APIs as “a way to connect computer software components…APIs make it possible for organizations to open their backend data and functionality for reuse in new application services.” APIs make it possible for many developers to access a certain amount of a company's code to further develop their product and make it available to more consumers. This product is essentially an application. “Commercial sites makes some parts of their code available to developers so that they can build tools for the site.” says The Guardian. “The code they expose is called the API and the stuff they build- the tools and widgets- are called applications.” The applications we use on a daily basis are built from APIs. According to ProgrammableWeb, there are over 12,000 APIs offered by firms today. Harvard Business Review reports that Salesforce generates 50% of its revenue through APIs, Expedia generates 90%, and eBay generates 60%. There are a variety of APIs that companies can adopt, specifically open APIs, private APIs, and partner APIs.

APIs benefit companies in a variety of ways including allowing outside developers to build off of the code to create new integrated applications. For example, “Google did not consider Google Maps to be a core asset until a third-party application allowed Google Maps to show real estate locations on a map, causing its popularity to skyrocket,” says Harvard Business Review. APIs also put speed and efficiency at the forefront. “APIs are enabling businesses to enter new markets, speed up product development and make better use of data,” says Mark Boyd of ProgrammableWeb. However, there is a distinct difference between public or open APIs and private APIs. That difference is security.

Private and Open APIs

Private APIs only allow the backend data, code, and application functionality to be accessed or used by the developers working for that company or organization. APIs usually begin as private and later make the move to partner or open APIs. Essentially, the application is available to the public, but the code is not. “Private APIs can significantly reduce the development time and resources needed to integrate internal IT systems, build new systems that maximize productivity and create customer-facing apps that extend market reach and add value to existing offerings,” states API Academy. The main advantages of private APIs are reduced costs, increased flexibility, and improved internal operations. Private API apps are usually flexible and intuitive. Updates for apps built on Private APIs are easy and seamless because third-party IT teams are not involved or needed. Private APIs are also more secure because they are not open to third-party developers or people not permitted to access the applications. This distinct difference between private APIs and open APIs are the security risks involved for companies.

The fundamental difference between private and open APIs is that the code or data is designed to be easily accessed by the public for use by web and mobile developers. “This means an open API may be used both by developers inside the organization that published the API or by any developers outside that organization who wish to register for access to the interface,” adds API Academy. Ultimately, open APIs allow companies to publicly expose information and functionalities to third parties that are not associated with the company or organization. This creates increased reach, more traffic, and opportunity for developers to promote their work and build off of a successful company’s code. Although open APIs can create a greater community of developers, users, and associated applications, open APIs sometimes suffer from poor user experience and deficient updates. According to API Academy, “With many third-party client apps active in the field, it can be very challenging to ensure that interface updates do not break application functionality.” API Academy also goes on the say that apps built on open APIs may not offer a positive user experience or ensure that those apps will maintain a certain standard for corporate branding. However, the most notable downside to the infrastructure of open APIs are the security risks.


Security Risks of Open APIs

Cybersecurity threats are at the forefront of social, political, and corporate discussions every day, and for good reason. We are also becoming regularly cognizant of how our data is gathered, stored, and shared with other applications, companies, and individuals. Unfortunately, open APIs are one source of how our data is breached and shared with third-parties. API Academy says, “Not only does publishing an open API theoretically means that any developer can access exposed backend systems, it also risks bringing the existence of the exposure to the attention of hackers who might never have noticed a private API.” In the past, applications were quite simple and secure. However, with the emergence of the internet of things (IoT), open APIs can be found in everything from mobile devices, smart TVs, and gaming consoles. Today, hackers do not have to test applications for vulnerabilities. Because the code is essentially public, hackers can just integrate a virus or malware directly into the code of an open API.

The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications. The amount of personal information attained by open APIs can undoubtedly be shared with third-parties. This is evident in Facebook’s recent vow to better secure personal information and Panera Bread’s recent API breach. CSO reports that Mike Cook, a governance, risk and compliance specialist says, “APIs come in and can read all your data or they read the data from another application that you have.” He continues to say that security features for open APIs, such as API gateways, should provide users with the utmost protection. “Can you make sure that that API, that other party, the information going out there is just the information they need and that they’re allowed to have? Or that…the company on the other end of API is really that company?” These are all serious questions, especially when sensitive documents and data pertaining to corporate governance are concerned.

When searching for a product to house and secure sensitive documents, it is imperative that companies and users are informed about the inherent risks of open APIs. APIs are a key integration for the growth and development of an organization. It is essential that all developers and users are aware of the security risks and the actions required to protect and defend their personal privacy, data, and documents.

Tag(s): Cybersecurity

Other posts you might be interested in

View All Posts