Posts Tagged ‘API economy’

API Security: A Closer Look

Recently, we published a blog article discussing the growth of the “API Economy”: a term coined to describe the proliferation of API-based tools being incorporated into many software products and applications. In this article, we discuss one of the side effects of this growth: the need for more data security as a result of the growth of API use.

Application programming interfaces, or APIs for short, have transformed the way we create and use software by linking your application to other people’s code and data. Our APIs, for example, can be integrated into your code, CRM or e-commerce platforms to do things like validate your contact data against most of the world’s addresses, provide sales tax data down to specific address levels, verify and correct lead information, to name a few – right in your app.

APIs have truly opened up the world for applications such as retail, sales and marketing automation and much more. However, APIs have the potential to introduce security risks, particularly if they represent a pipeline to your data assets. A recent example of an API breach involved Australia’s largest property valuation firm exposing the loan details for over 100,000 customers.

The security risks of APIs are generally well understood by the developer community and our internal team pays close attention to changes and developments in this space. Below are some of the main thoughts on API security and risk management.

Security and APIs – What the experts say:

In 2016 David Berlind, the editor-in-chief of ProgrammableWeb, a portal site and directory for API developers, gave testimony to a government healthcare IT task force on current issues in API security. Here are some of the key points he raised:

Security starts with access to APIs. One of the largest concerns with APIs nowadays involves who gets the keys to the candy store – particularly if an API facilitates access to sensitive data. Berlind describes this in terms of APIs targeted at “LSUDs” (large sets of unknown developers) versus “SSKDs” (small sets of known developers). Increasingly, many firms are restricting access to their APIs and documentation to known and verified partners.

Security standards are still a work in progress. While specific API providers maintain their own security standards – for example, PayPal requires API users who store credit card data to follow PCI compliance rules – Berlind also notes that even major players such as Google, Apple and Facebook have all fallen prey to API breaches, and security standards are continually evolving.

Contractual protections matter. While this won’t stop bad actors, putting language in an API’s terms of service (TOS) can be an important tool for enforcing the proper use of APIs among customers.

Third party certification is needed. Given that API security continues to evolve, in what Berlind calls a “cat and mouse” game between hackers and developers, he feels that there will ultimately need to be an industry-wide API security standard that is continually informed by what we learn from the latest security incidents.

Since this testimony, dialogue continues around the evolution API security, including this list of best practices such as front-end authorization and authentication, checking results data, and investing in proactive security testing. Much more remains to be done in this area, but at least this topic is at the forefront of the API developer community.

Our perspective on API security

Of course, we are API developers ourselves, so we are extremely sensitive to the issues of API security. Part of this springs from self-interest: for vendors like us, who handle sensitive personal data for what are often mission-critical applications, our business depends on it. But we are also observing the growth of the entire API ecosystem with interest, and this is a topic we all need to be talking about.

Our API products carry less risk because we do not store customer data. Instead, each record a customer submits to us is processed through a secure and encrypted connection, generally by validating it against one or more databases, and validation results are returned through a secure and encrypted connection. We neither store customer input nor resulting output, so there is little to “steal” by calling our APIs.

Personally, we feel that part of the solution is for API developers to adopt accepted best practices in data security, and document these procedures publicly – ours are here, for example. To create more customer confidence as APIs proliferate, our industry will increasingly need to take people inside the “black box” of API infrastructure and discuss what steps are being taken to protect their data. We are glad to be part of this dialogue, and will continue to be part of it in the future.

The API Economy: What Does it Mean for You?

The 2010s have been the decade of the fill-in-the-blank economy: for example, the gig economy (where people are increasingly contractors instead of employees), the sharing economy (where Uber and AirBnB put you in other people’s cars and homes), and even the hipster economy (don’t ask). Lately we can add a new one to the list: the API economy.

Many of you reading this already know what an API is – but just in case, it stands for Application Programming Interface. Its formal definition from Wikipedia is “a set of subroutine definitions, communication protocols, and tools for building software … a set of clearly defined methods of communication among various components.”

In plain English, APIs are interfaces linking your software and data to other people’s software and data. In this blog, we are going to look at why they have become so important – and more importantly, what they can do for you.

The impact of APIs

Why are APIs being seen as an economic phenomenon? Because they are dramatically changing the way software is being produced – and more importantly, how it is consumed.

First, APIs dramatically extend the reach and capabilities of your software environment. Here at Service Objects, for example, we can put the entire United States Post Office into the address entry fields of your marketing automation software to validate and complete addresses – or even fix ones that are horribly wrong. We can link your prospects or customers to US Census data for demographic analyses. We can tell you which email addresses in your contact list are known spam traps. And much more.

Second, APIs are fueling the next generation of inexpensive, cloud-based computing. Remember the days when implementing tools such as CRM and ERP required months of planning, and seemingly a cast of thousands? For many businesses, those days eventually gave way to easy-to-install browser-based applications with their own user interfaces. Today, the next step has often been towards “headless” capabilities: specific web services with no UI that can be easily plugged into your own business computing environment via APIs.

The other key benefit of APIs is that they are upgradeable component technology. At Service Objects, we are constantly adding new capabilities to our services, with no change in programming required from our users on the front end. This flexibility and ability to evolve quickly has changed the game for business applications today.

Putting APIs to work for you

Most Service Objects’ services are designed to plug in to your applications environment, including marketing and sales force automation platforms and CRMs. We also offer other options, ranging from batch list processing to a PC desktop app and done-for-you data cleaning services, but we are first and foremost an API company – and we devote a lot of our efforts to API resources and ease of integration, so you can seamlessly put these services to work in your platform.

This starts with an architecture that is designed API-first, beginning with our request and response interfaces. We support REST, SOAP, GET and POST requests over HTTP/S outputting in JSON and XML formats.

For example, here is a sample web URL request from our flagship DOTS Address Validation – US 3 service, together with the response fields returned in JSON.

API compatibility

Our API web services are compatible with all major programming languages, including Java, PHP, Ruby on Rails, C#, Python, and much more. To help developers integrate our services quickly, we have extensive documentation along with over 200 pieces of sample code to help with your integration. We are developers ourselves, and we live and breathe API integration. And we are always more than happy to help your implementation go smoothly or troubleshoot issues, with an industry-leading support team that is always on call.

Where we are headed

According to IBM, “’API Economy’ is a general term related to the use of ‘business APIs’ to positively affect the company.“ This is truly the rationale for the growth of APIs, particularly economic benefits such as lower development costs and greater capabilities. And at a deeper level, it speaks to how software capabilities are increasingly becoming component parts of streamlined platforms.

Nowadays the label “API Economy” is far from an overstatement, with the use of APIs growing more than 10,000% over the last decade. We are always working hard to stay ahead of the curve and bring more and more data quality capabilities that can be easily integrated into your business platforms.

To try out any of our 24 data validation APIs, visit our web site to request your free trial key.