Case in Point: Unprotected APIs
APIs oen introduce unwanted second- and third-order effects to the
internal enterprise core. The U.S. National Weather service
1
developed
an Android application that connected to its core systems via an API. The
API layer had the ability to make unfettered requests to the internal core
systems, which resulted in the internal core National Weather Service
system going down due to an external Denial of Service attack.
This unprotected API threat should be a wake-up call for every security
architect. Unlike "What happens in Vegas stays in Vegas," what happens
on the external API layer does not stay external. APIs are not a blocking
layer, they are an admission layer. Anything admitted to the enterprise
core needs strict scrutiny, and that begins with managing the API layer
with an API gateway.
1 http://www.forbes.com/sites/jameslyne/2014/08/26/android-app-causes-national-weather-service-website-blackout/
