APIs are Critical to the Internet but Frequently Targeted for Attack

This is the introduction to ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force. This introduction is taken from the overview of Berlind’s written testimony. The complete audio along with downloads of each of the panelist’s oral testimonies from the Task Force’s virtual hearing is available from the HealthIT.Gov website.

First, I would like to thank the Task Force and the ONC for the honor and privilege of being asked to testify on a matter that is not only of critical importance to the healthcare industry and America’s citizenry, but one that is of critical importance to the Internet and all of the people that depend on it.

My answers to the list of questions come from the point of view of an independent observer of the API industry. They do not reflect the interests of any particular party and as you will see, are almost entirely informed by my two-years of research and reporting on real world API security exploits. I believe that this is an important, if not the most important point of view as it bypasses the theoretical and speaks directly to the state of the ever-evolving state of API security and the very real challenges that every organization -- in and outside of the healthcare industry -- will face in the coming years.

APIs are rapidly becoming one of the most important infrastructural layers of the Internet while at the same time becoming a critical component of modern day attacks. They are difficult to secure and determined hackers are extremely tenacious in finding ways to exploit them. Despite what some people --- even experts --- would lead you to believe, there are no silver bullets. That said, when proactively managed and secured, the efficacy of APIs greatly outweighs the risks associated with deploying them.

What follows is my written testimony. It expands, as best I could given the compressed time I had to develop it, on the five minutes of verbal testimony that I will give on January 26th. It is possible that I will make light copy edits to this document between now and the hearing.

Finally, I invite further inquiry by the ONC and the task force. This document barely scratches the surface of a topic that’s of grave importance and what I’ve learned through my research.

In the next part -- Part 1 -- of ProgrammableWeb’s series on Understanding the Realities of API Security, ProgrammableWeb editor in chief David Berlind answers the following question posed by the ONC:  How Does The External Availability of APIs Impact Their Security?

Be sure to read the next Security article: Square API Leaves Apps Vulnerable to XSS Attacks