The most popular and comprehensive Open Source ECM platform
Security: Testing the Security of Your APIs Before Hackers Do
APIs have allowed software easier to maintain and test by breaking functionality down into small components. APIs have become popular and something that is expected to be available for developers.
Marco Palladino, CTO at Kong, said that “APIs enable companies to more easily build products and services that would otherwise take too long to build. Developers can use these APIs to more easily access business-critical information and focus on other priorities instead.”
But the popularity of APIs have also made them an attractive target for hackers. Corey Ball, Cybersecurity Manager at Moss Adams, said that “you can design an API you think is ultra-secure, but if you don’t test it, then a cybercriminal somewhere is going to do it for you.”
David Stewart, CEO of Approov, said that “leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm. Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations.”
Zane Lackey, Global Head of Security Product Strategy at Fastly, said that “APIs have gone from this kind of side area of importance to the most critical part of their business. This really puts tremendous strain on anyone responsible for security inside a financial services institution, whether that’s the security team, or the teams leading the charge into digital transformation, or the cloud or containers that are also responsible for security of these apps and APIs.”
Businesses have a responsibility to make sure that the APIs that they provide are secure. Sandy Carielli, a principal analyst at Forrester, said that “if you are making APIs available, you have to secure them. You can’t depend on customers, external partners or other people making the API call.”