How Does The External Availability of APIs Impact Their Security?

This is first part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- the introduction -- Berlind discusses how APIs are critical to the Internet  but frequently targeted for attack.

ProgrammableWeb does not currently offer an internal or external API (though we have an external one planned). So, I cannot comment on how the external availability of ProgrammableWeb's API impacts its security. However, in the context of this hearing, ProgrammableWeb has much to offer as it has a great deal of experience when it comes to its 10+ years of observing both internal and external APIs. As such, the remainder of this testimony will, among other things, address how ProgrammableWeb views the differences between internal and external APIs and if or how their security is impacted by their range of availability. is largely regarded as “The Journal of the API economy” by two primary constituencies;  (1) application developers who rely on APIs in the course of programming their applications and (2) API providers -- that is, organizations and individuals that publish APIs (in the case of the former, both internally and externally) for usage by developers.

These two constituencies come to for two reasons. The first of these reasons is for our directory of external APIs. ProgrammableWeb maintains the largest independently-run directory of such APIs. APIs are classified according to a variety of criteria including their category (ie: Travel, Healthcare, Finance, etc.) and for each API we have listed in our directory, ProgrammableWeb maintains a variety of metadata that developers use to compare one API to the next. This metadata includes information about everything from supported protocols and API architectural styles to supported forms of Authentication and links to Documentation. Over 60% of ProgrammableWeb’s traffic comes from Internet users --- mainly developers --- who are researching which APIs to use in their next application. Connected to this directory, ProgrammableWeb offers an alert service. Users can elect to be alerted whenever any of this metadata for their favorite APIs changes.

It is important to note that when we make a record of an API in our directory, we do not offer anything beyond the metadata about that API. In other words, that API cannot be “called” by a developer through ProgrammableWeb, nor does ProgrammableWeb host any of an API’s associated assets (ie: documentation). ProgrammableWeb does however provide links that users can click in order to gain direct access to those assets.

In addition to reading our news stories, published daily, about the ongoings of the API economy, the second reason these two constituencies come to ProgrammableWeb is for its prescriptive content. ProgrammableWeb regularly publishes everything from expert commentary to step-by-step tutorials on working with APIs; articles that span the gamut from primers on how to consume popular APIs from companies like Twitter and Apple to how to manage and market APIs if you’re someone who has started your journey as an API provider, or is contemplating doing so.

The majority of our prescriptive content is derived from real-world API implementations and is often written by real-world practitioners. ProgrammableWeb’s constant contact with the communities it serves and the real-world articles it publishes puts its staff in a unique position to comment on matters of this hearing’s nature from a very pragmatic point of view, one that is informed by the broader industry’s actual successes and failures.

In the next part -- Part 2 -- of ProgrammableWeb’s series on Understanding the Realities of API Security, ProgrammableWeb editor in chief David Berlind answers the following question posed by the ONC:  Do You Publish API Docs Online For Availability To Third Party Developers?

Be sure to read the next Security article: APIs are Critical to the Internet but Frequently Targeted for Attack