Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

Programmable Web’s Musser says that many of the security risks introduced by an API are similar to those found in desktop computers. In both cases, he says, security vulnerabilities exist wherever there is an access point that an attacker might abuse. Any site that builds its API on top of another site’s API is relying on someone else’s security, and it’s not easy to look into what has been built to see how well it has been handled, Musser says. “Part of the fundamental issue is just how new the technology is,” he adds.

Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, says that sites that publish APIs can find it hard to discover security flaws in them. He notes that often it’s difficult to tell how a third-party site is using an API, and if that site has been compromised by an attacker.

APIs are also harder to test than traditional websites, Grossman says. Though software tools have been developed that can analyze a site’s underlying code to pinpoint potential vulnerabilities, those tools won’t work for testing APIs. “It’s a lot more manual with a lot less automation, and it means, at the end of the day for the business, more expense,” he says.

But while experts agree that there’s no easy fix for the risks introduced by APIs, they also say the technology isn’t going away. “Websites are becoming Web services, and that trend isn’t going to stop,” Musser says.

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Web, web applications, computer security, DEFCON, mashups, API

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me