Is your web or mobile API putting your business at risk?
James Higginbotham
API Strategy and Practice (API First and Digital Transformation)
Do you have a web or mobile API? You might, whether you realize it or not. Web APIs are often used to connect a modern web application to the backend database using JavaScript frameworks such as Backbone, Angular, or Ember. Web APIs are also used by mobile applications to enable collaboration between devices, along with remote data access. So, chances are that your development team has built a web or mobile API - even if you didn't know they did.
(Not familiar with web or mobile APIs? No problem. Read our gentle introduction to APIs here)
What is an Accidental API?
Accidental APIs are ones that are built quickly to solve the technical problem, deployed into production, but do not consider the business needs or possible risks associated with a production API.
API products, however, are often governed, managed, and monitored as part of an digital strategy and are often treated as separate products with their own software development life cycle (SDLC). While some API products may be open for public developers to use, many are simply used internally or limited to partner integrations.
So, do you have an accidental API? If so, the next question you ask should be, "What are the risks of having an accidental API to the business and how can we avoid them?"
Let's look at five common risks encountered as a result of having an accidental API, and how to mitigate them:
Risk #1: Added Maintenance Costs
Accidental APIs are often developed in a hurry, many times with little or no time spent to ensure that they have been designed to last. As a result, accidental APIs aren't designed to deliver complete business value. Integrations with partners will likely result in multiple, one-off integrations rather than a single, reusable API.
How to mitigate this risk: Invest in a proper API design by applying practical design principles that will deliver high business value, reduce costs, and encourage reuse (increasing agility).
Risk #2: Uncontrolled Public Access
Did you know that private, hidden APIs aren't really hidden? Any developer can often reverse-engineer APIs used by web and mobile applications to understand how they work. Then they can simply use them for their own purpose, often unbeknownst to your business.
How to mitigate this risk: Implement an API authorization layer, such as OAuth 2, to restrict access to the API.
Risk #3: Inability to Monitor, Monetize, and Scale
Accidental APIs often lack management and monitoring capabilities, preventing any insight from who and how an API is used. API management provides access enforcement, rate limiting to prevent overwhelming servers, usage tracking, billing, and a developer portal for self-signup (immediate or moderated access).
How to mitigate this risk: Select and install API management middleware. Popular vendors today include: 3scale, Apigee, and Mashery.
Risk #4: Lack of Security
Until now, we have focused on risks that are related more to the business and daily operations. Now we enter the last two risks, where we see a more severe impact. These risks can not only affect business operations, they can also affect the longevity of the business and your customers. Accidental APIs can open up a variety of security-related issues, including insecure transmission of data and exposing holes in the company's PII/PCI compliance or other industry regulations.
How to mitigate this risk: Conduct a security audit of the API, implement the appropriate measures, and ensure SSL is implemented across all API communication channels. You may wish to also consider an API management layer (above) and perform data masking to protect sensitive data (below).
Risk #5: Malicious API Attacks and Compromised Data
The final risk is related to API attack vectors with the intent of compromising the system and its data. Accidental APIs tend to expose systems to Denial of Service (DoS) attacks, SQL injection attacks, XML attacks, and exposure of sensitive data.
How to mitigate this risk: Conduct an operations audit of the API environment, a code review to prevent various attack vectors, and a thorough review of all data sent and received by the API.
How To Move From An Accidental API to an API Product
APIs can be a powerful tool for web and mobile applications for your business. However, they need to be treated with the same review and implementation strategies that your other products require. We recommend performing an internal review, seeking outside assistance if necessary. Not only will this help you reduce your security risks, it will result in a reusable API product that will produce business value.