MY TAKE: How the lack of API security translates into ‘digital transformation’ security holes

By Byron V. Acohido

If you’re not familiar with how Facebook, Twitter and YouTube make it so easy for you and me to easily access cool content they’ve collected and stored behind their respective firewalls, then you might think “API” is a trendy type of beer.

In fact, API stands for Application Programming Interface, the indispensable technology that makes it possible for software applications to exchange data across the Internet.

Related: Cross-site scripting threat heats up

APIs have been a cornerstone of our digital economy from the start. Without them, social media and software-as-a-service, as we’ve come to know them, wouldn’t exist. And today APIs are empowering companies to speed up complex software development projects – as part of digital transformation.

In short, APIs have emerged and endured as the linchpin of social media, cloud services and mobile computing; and they will remain pivotal as the Internet of Things expands.

However, just like every other tech breakthrough that rose rapidly to ubiquitous use, APIs have a gaping downside: intrinsic lack of security. I recently had a chance to discuss the vulnerable state of APIs with Tim Arvanites co-founder and chief technology officer of AAPI, a security startup which helps companies lock down their APIs. For a drill down on our conversation, please listen to the accompanying podcast. Here are a few big picture takeaways:

 Easy connections. Think of APIs as the software connectors that permit applications to interact. When you post to Facebook, send a text message or check tomorrow’s weather on your smartphone, APIs are at work. What’s more, APIs are driving digital transformation; companies have come to depend on APIs to reorganize how they do business.


APIs enable innovation at unprecedented speed and scale. It takes innumerable client-to-server interactions, firing off in real time, in order for digital commerce to operate that way it now does. However, the tradeoff to achieve this scale and speed was to toss API security to the curbside, early on.

“Developers tried to find the quickest, most efficient ways of getting something done, and security wasn’t something that was really thought of,” says Arvanites.

Rising concerns.  APIs got deployed into wide use without any meaningful authentication or use of encryption. APIs very often are built and deployed using simple, browser-based parameters that can be trivial for anyone to access — and alter.

Company officials are now waking up to API exposures. Software tools supplier SmartBear recently surveyed 2,300 IT professionals and asked them about their highest API concerns. The top worry? Some 41 percent said they wanted to see API security solved in the near future, followed by 39 percent who said easier tool integration was their main concern.

Actual attacks. This risk isn’t just theoretical. Hackers have begun seeking out vulnerable APIs used by prominent companies. Just ask Panera Bread.

An attacker burrowed into’s online ordering API and siphoned off customers’ attributes, including phone numbers, email addresses, physical addresses and loyalty account number, according to investigative blogger Brian Krebs, of

“It was simply a matter of the API being open,” Arvenites says. “A bad actor got access to it,  and found 60 million identities. It was all right there in front of him.”

Simple flaws. It’s easy to understand how even a major company might hire a contractor to create a fast, flexible website venue; and how that contractor might then make use of simple API parameters in designing an elegant web service, that performs seamlessly. The tradeoff? Security.

“The simpler the API the more vulnerable it is,” Arvanites observes. “It’s mainly a usability thing where you try and make the service as easy as possible to use and don’t put any additional safeguards in place.”

Early phases. We’re in an early part of this cycle. Bad actors have barely scratched the surface of what’s available to them. Meanwhile, the API attack surface continues to swell exponentially, as a consequence of the deepening of digital transformation.

Mitigating API exposures won’t be easy, due to the intrinsically insecure nature of APIs. Arvanites advocates a platform approach; his company, AAPI, supplies systems for companies to consolidate APIs deployed to both collect, as well as to share, data. This can help companies get in position to  nfuse security measures, such as authentication and encryption, in the right measure.

“Security can add latency and slow APIs down,” he says. “To minimize latency, security has to be put as close to the API as possible, while keeping them moving as fast as possible.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone