The online world is as vast as it is complex, but when you boil it down, bots use three primary channels to infiltrate it: APIs, mobile apps and websites.
These channels are highly interconnected — with APIs playing a major role and fueling major risks when it comes to bot management.
APIs are software intermediaries that make it possible for systems to communicate with each other. Use of web APIs has grown exponentially since 2005. In fact, it’s safe to say that APIs are — and will continue to be — everywhere. They are critical enablers of countless systems and services. APIs power organizations’ back-end systems, mobile apps and increasingly even websites — and will become even more critical as the IoT continues to connect everything from toasters to cars.
API growth has been significant to date, and several industry trends will further fuel use of APIs:
- IoT: The industry is poised for an IoT explosion through 5G. IoT and industrial IoT solutions will connect to clouds directly. Cloud APIs supporting telemetry registration (sensors) and rich functionality (example: If This Then That (IFTTT), Alexa and Google Assistant) will be exposed directly.
- Mobile apps: IoT and 5G networking will also fuel the growth in mobile applications and their reliance on APIs.
- Cloud migrations: As these migrations continue accelerating, multicloud environments are a fact of life. Applications can mix and match best-in-class services from Amazon Web Services (AWS), Azure and Google Cloud. All these interconnecting cloud applications require APIs.
- As organizations create APIs to power their businesses, they sometimes decide to make the API available for sale and use by other enterprises. This practice is fueling a fast-growing “API economy” alongside the trends in IoT, 5G and the cloud.
The Trouble with APIs
The trouble is, APIs can be highly vulnerable, making them frequent attack targets. And because APIs are powered by machine-to-machine communication, it can be far more difficult to determine if an API call is originating from a good source for a helpful purpose — or from a bad actor with ill intentions for your business and your customers.
That’s because APIs are built for machines to talk to, making the threshold for bots interacting easier with an API than with a website. Bots don’t have to mimic users or scrape and decode PDFs or HTML tables; they can simply “speak” the computer language with the API and obtain all the information they need.
Mobile apps, websites and even desktop applications regularly rely on third-party data or functionalities that they consume through web APIs. Web APIs provide applications with otherwise inaccessible resources, such as access to global social networks (examples: web APIs provided by Twitter, Facebook or LinkedIn), advanced machine learning capabilities (examples: web APIs provided by IBM Watson or Google Cloud’s AI) or complex transaction processing (examples: web APIs by Stripe or PayPal for payment processing or the Flight Booking API).
Although most companies are well-versed as to where their web applications reside, they may have little to no visibility into the full complement of APIs on which their businesses depend.
In other words, application developers now rely heavily on third parties — entities beyond their control sphere — for core functionality of their applications. User experience and, by extension, application reputation are directly affected by actions and nonactions of the API provider(s). Service-level agreements (SLAs) might come into play for commercial API offerings, but by and large, developers are no longer in control of their apps. And APIs make it much more difficult to distinguish good bots from bad bots.
APIs Under Siege
Scammers exploit API vulnerabilities to steal sensitive data, including user information and business-critical content. Modern application architecture trends — such as mobile devices, use of cloud systems and microservice design patterns — complicate security of APIs because they involve multiple gateways to facilitate interoperability among diverse web applications.
What’s more, extensive deployment of internal APIs, combined with mobile access and increased dependence on cloud-based APIs, means that web application security defense systems that defend only the external perimeter are ineffective. Also, as businesses continually add and consume new APIs, API security cannot be a one-time exercise.