API security is the prevention of unwanted or abusive usage of an API.
What is an API?
An API, or application programming interface, defines the protocols for communication among software components.
Software programs use APIs to communicate with each other. They can be used locally or remotely; the programs could be running on the same computer, or they could be running on machines that are separated by multiple time zones. In either case, the programs need a well-defined standard for exchanging data. In order for each to send data in a format that the other can understand, the same pre-defined protocol must be followed by both.
APIs can be private, and only used internally. They can be semi-public; in other words, although they are used in a public context (such as sending data over the Internet), their internal details are restricted to trusted entities. Or they can be public; many applications and services publish their APIs so that external entities can communicate with them.
APIs are not restricted to any particular format. However, the most popular formats today are REST and SOAP.
What is a RESTful API?
Representational State Transfer (REST) is an architectural style that defines a set of constraints to be used for creating web services. REST is intended to increase the desirable characteristics (such as performance, scalability, reliability, etc.) of inter-software communication. To achieve this, it has six underlying principles:
- Client-server architecture
- Layered system
- Code on demand
- Uniform interface
A web service API that conforms to the REST architectural style is called RESTful. RESTful web services (RWS) provide interoperability between computer systems on the Internet.
What is a SOAP API?
Simple Object Access Protocol (SOAP) is a standard for message formats and requests. Unlike REST, which is an architectural style, SOAP is a defined protocol. A SOAP API exchanges XML over HTTP or SMTP.
Which type of API is more popular?
SOAP is (much) older than REST, but there are still some contexts within which SOAP is preferred. For example, it supports WS-Security, it has built-in redundancy for messaging, and it has some other features that can be useful in certain use cases.
However, REST is more flexible than SOAP. Plus, it tends to have better performance. (SOAP relies on XML, which REST can use JSON.) Therefore, REST has become the more popular of the two.
Nevertheless, regardless of its type, every web API has the same challenge. It is accessible to the public Internet, and all the malicious traffic that it contains.
Why is API security important?
Businesses use APIs to connect services and transfer data. APIs that are broken, exposed, or hacked can expose sensitive medical, financial, and/or personal data. Thus, security is a paramount consideration when designing and developing RESTful and other APIs.
Furthermore, there are many other ways to abuse APIs than a breach of the backend system. If an API is not properly secured, a variety of attacks can occur.
For example, a DDoS attack can make an API endpoint unavailable, or can severely degrade its performance. An API that serves data can have its data collected and stolen by competitors or aggregators. An API for online purchasing can be vulnerable to inventory denial attacks. And so on.
The variety of possible attacks is one of several factors that makes API security very difficult. As microservices and serverless architectures have become more widespread, API security has become vitally important for businesses today.