The term “API economy” has become part of the business vernacular because APIs have proven to be a great way for businesses to increase their value by making their core functionality available to more people. I’ve worked extensively with APIs in my career and I’ve been amazed at how the API economy has developed. I am also a beneficiary of this new API economy – from getting the best deal on Amazon to booking all my travel through my company’s travel portal to getting a dinner reservation through Yelp.
APIs are key to the digital transformation strategies for enterprises. APIs transform businesses into platforms that “facilitate the creation and/or exchange of goods, services, and social currency so that all participants are able to capture value,” to quote Kristin R. Moyer, vice president and distinguished analyst at Gartner.
Securing APIs is as important as securing your web applications, if not more. This is because:
- APIs expose your core transactional system to the outside world in an unprecedented way. Many of these core transactional systems were never meant to be made available publicly. So it’s very important that we test APIs for security; in fact, we should probably worry even more about API security than we do about web application security.
- Once you have an API out there, it can embed your business into other people’s business in a way that was never possible before. If your API is insecure, it means that your insecurity has now percolated into your partner businesses’ overall security posture. Hence, when you start writing your API, you’d better be thinking about its security. I’d encourage the reader to visit https://developer.uber.com/ and see how Uber (via its API) is now integrated into United, Amazon, Foursquare, TripAdvisor, moovit, and many more businesses.
You may think that you have an API management tool and that solves the API security problem. Having an API management tool or a service is merely a first step to API security. This, however, is not the only step. API management tools provide security policies that work at the perimeter but they do not play a role in securing the business logic that is serving the APIs up. You need Application Security Testing tools to help you write APIs that are secure inside-out.