Gaining Trust in APIs and What to Look For
Anthony Dellavecchia is a developer evangelist at Twilio. This article discusses gaining trust in APIs and what you should look for.
APIs continue to grow at an exponential rate. APIs are growing 30% year over year, and by 2024, we will reach 42 trillion API hits. Gartner predicts that by 2025, 30% of all third-party APIs will be used in applications. Currently, that number is under 10%. So, in just a few years, there will be an increase of more than 20%. That is a big growth. But, with this growth come many challenges with security, outage, etc.
Gartner is also predicting that APIs are growing so quickly that they will outgrow the number of teams that can support them. So not only are we talking about various security challenges, but also about APIs not even being able to support themselves.
As we understand the importance of APIs, their growth rate, and their vulnerability, it is important to know how to trust an API. For this, you need to get all knowledge related to the APIs you are using.
Knowledge of the API
To trust an API, you need to –
- Understand that API before you use it.
- Understand what data is being passed in and out of that API. Are you dealing with marketing data? Is the data secure?
- Study if you are exposing the right amount of data or more than is required.
These points seem to be simple but are important. When we consume an API, we are inheriting it. And when we inherit, we inherit the good as well as the bad.
For example, if you use Twilio programmable messaging, you send a text message with a code. So, if you’re, using this product, you should think about what data you’re going to be texting, think about the API, and think about what you’re using with this API.
So, it might help to understand the actual technology behind SMS. SMS is not end-to-end encrypted. SMS is just plain text. So, you can’t send information over text and expect it to be secure. This is because cell phone carriers store these messages and have access to the data. Though secure, hackers can access this data. So, you cannot share sensitive information over SMS.
Compliance will not give you trust in an API, but it tells you that the API adheres to a certain set of regulations. But I think there; there is value in looking at compliance. For example, if you want to use an API to handle EU data, then you want the API to adhere to GDPR, a regulation in the EU to handle data.
Twilio adheres to ISO. It maintains SOC2 compliance. It allows customers to enable FRPS Level 3, a standard for cryptography. Twilio also shows a shared responsibility between Twilio customers and Twilio itself whenever they’re dealing with HIPAA regulations. Twilio Voice, for example, is PCI DSS level one compliant. So, it can collect credit card information over the phone or make a payment in their applications on a customer’s behalf. Twilio is also PCI Level 3. It also applies the same high standards of GDPR to all customers and all personal data.
Communicate frequently, and adhere to SLAs.
You should frequently communicate with that API partner and be on the same page about expectations. And you can do this by adhering to SLAs and agreeing to their terms of service. You should think about applying the same rigor to enforcing uptime, performance, security licensing terms, and product roadmaps as you do for traditional SaaS services when it comes to an API.
You are already looking at compliance and security, but you must step into the customer’s shoes to gain a customer’s trust. Think about your customer at all times and do the right thing for your customers. Get back to the basics.
- If you are using authorization, use protocols like OAuth.
- Maintain an inventory of your APIs.
- Use a least privileged principle so that your entities only have the minimum functionality required.
- Apply rate limiting to your APIs.
- Limit the sizes of your payloads.
Tips for organizations handling personal data
- Don’t just move data for the sake of it. Move it when necessary. The more you move data, the more you increase the risk of data leaks.
- You need to think of disposing of sensitive customer data properly.
- Collect only the data that is required. Do not over-collect data.
- You need to hire trained professionals to handle personal and sensitive data. These professionals should have appropriate training in security and data handling.
To conclude, you should not inherently trust an API just because of its name recognition or what it’s done in the past. You should always be cautious and on the lookout; do your due diligence and follow a shift-left mindset regarding security.