Application Programming Interface (API), provides a way for programmers and developers to allow systems to exchange data with one another. For instance, all of your company’s important employee data may be contained in Active Directory (AD), but it also needs to be contained in the firm’s CRM system. Instead of having to perform tedious manual data entry of all employee moves, adds or changes, developers could leverage the APIs in the contact relationship management (CRM) system to keep AD and the CRM system in sync.
As valuable as APIs are to customers, the business and programmers, however, they pose a fairly high risk as well. All sorts of potentially sensitive information could be exposed through a vulnerable API—client data, financial data, intellectual property, etc. APIs are available in almost all enterprise software platforms and cloud-based Software as a Service (SaaS) systems. Therefore, it is extremely important that you understand how to protect those APIs so they cannot be leveraged for nefarious purposes.
In fact, author Thorsten George of SecurityWeek reports that APIs are the next big cyber-attack vector according to security experts. As an example, George points to the Panera Bread breach where the company left an unauthenticated API endpoint exposed on its website. So, what might you do to secure your APIs?
- Approach API security the same way you would your overall security program—base it on an industry standard framework.
- Begin all projects with security in mind.
- Monitor, log and perform vulnerability scans against your APIs.
- Implement technology-based engineering controls like API gateways.