Credit: Mike Rickard
Many Starbucks customers got a jolt in May when cyberthieves were discovered stealing money from their credit cards and payment accounts by first tapping into their Starbucks mobile apps. The culprit was believed to be a hole in an application-programming interface (API), though perhaps not on Starbucks' site but on another app where overused passwords were stolen and reused, according to reports.
Greeting card website Moonpig and mobile app Snapchat have suffered similar fates at the hands of API, the set of requirements that govern how one application can talk to another and what data it can access.
In January, an unsecured API caused Moonpig to expose personal records and partial credit card details for some 3 million customers. Two exploits in Snapchat's API allowed hackers to mass-match phone numbers with names and to create millions of bogus accounts.
Why are APIs becoming the target of hackers? Because they're everywhere, says Randy Heffner, API security analyst at Forrester Research. Just about every company is building APIs to support their web or mobile application because it allows them to innovate faster and bring outside content in.
There are more than 13,700 publicly available APIs offered by firms today, according to programmableweb.com. Salesforce.com generates 50 percent of its revenue through APIs, Expedia.com generates 90 percent, and eBay attributes 60 percent of revenues to APIs.
"The broader attention to APIs gives hackers a new and more interesting playground to [pursue]," Heffner says.
Most APIs are available to anyone on the Internet because they run on web servers. Just like websites, APIs can be crawled by search engine bots and hackers.
API security is an area that deserves specific enterprise scrutiny, Heffner adds. "We don't want any submarine APIs -- running silent, running deep -- because if someday hacks your home site you see it pretty quickly. If somebody hacks an API you may not see it at all."
Why are security flaws popping up in APIs?
For starters, developers are not security pros, and speed to market affects any kind of testing and due diligence that coders can do around their code. "They spend a lot more time bringing value in the apps than on the security side," which can lead to security leaks, says Allyn Fay, technical marketing manager at identity and access management vendor Ping Identity.
There is also very little communication between API developers, which discourages security standards.
"In every company, each business unit has the mandate to publish APIs, and they don't talk to each other," says Subra Kumaraswamy, head of product security for API platform developer Apigee. "If I'm a business unit that's doing shipping, or a payment company doing payment APIs," we're not comparing notes, he adds.
Sign up for CIO Asia eNewsletters.