Businesses, of late, are being data driven. Application Programming Interface (APIs) are developed to connect the frontend to the backend of any application. Such APL can be susceptible to unauthorised access if those do not properly authenticate and authorise the user. Businesses open their APIs to other service providers.
Uber and Ola are aggregators for cabs, and use the Google Maps API. When online payments are made by UPI, the payment gateways such as RazorPay queries an API (asking for access). While signing for a website using Facebook or social media account, the social media’s API ensures authentication. Data transfer happening so seamlessly makes life easier.
API security is important since there is an app to app traffic on account of APIs, and IoT devices. App to app traffic is more than app to human traffic. APIs which are vulnerable and are hacked can reveal financial, medical and personal data to public. Since API is a mini-webapp, the security measures for a full-fledged webapp may not be taken. In a webapp, when user interface (UI) is modified, it is not visible. Testing is, therefore, completed instantly. API is not visible to the end-users, and hence it is released hurriedly without security testing.
Organisations want their platforms to add APIs swiftly to enhance functionality .API adoption is quick. There is a footprint of connecting apps. Such practices encourage API breaches. There should be continuous assessment of API security.
APIs are universal attack vector. They also provide more attack surface across all vectors.
Organisations are not aware how many APIs they have and what those APIs are doing and where they are located. Managing these is complex, especially when these multiple APIs keep changing and evolving.