Did I mention that we have some terrible security flaws with our APIs behind rich client apps? Pretty sure I did’; oh and I did just write a Pluralsight course that shot to the top of the charts so yeah, there’s that!
There are a few reasons why vulnerabilities in APIs are the new black:
- They’re that much less obvious than vulnerabilities in browser-based apps; you don’t see the URL, you don’t get browser warnings and it’s harder for a casual observer to probe away at them (but only just…)
- Mobile apps are proliferating at a crazy rate. Well in excess of one million each in Apple and Google stores is a good indicator of astronomical growth in a short timeframe. In the rush to market, security is often one of the first things to be neglected. Speaking of “things”…
- The “Internet of Things” – IoT – is a rapidly emerging new technology sector that’s already producing a heap of vulnerable “things”. When your toothbrush talks to an API, that API needs to be secured in the same way as your non-toothbrush things.
- Many developers don’t realise just how easy it is to intercept API traffic from a mobile device. And inspect it. And probe it. And make it do things it’s not meant to do. Lack of awareness it a really, really serious risk.
Joe Colantonio from the TestTalks podcast took my latest Pluralsight course, evidently enjoyed it and asked me to come on the show for a talk. I really enjoyed the chat, it’s an interesting topic not least because of all the times I see the light bulb go on for developers – “Oh, you mean other people can see all the comms between my app and the API?!”
The episode is over on the TestTalks website or accessible directly via the audio player below: