Using Restful APIs? Choose Your Vendors Carefully.
By: Matt Angerer
In today’s age, most software products released to market are labeled as an “open platform.” The open platform evolution is real, but we caution our customers to choose their vendors carefully. Not only should you be careful about what vendor’s API you “hook into,” but carry out your own due diligence on any security and compliance procedures to ensure your brand reputation. For instance, if you deal with highly sensitive consumer data (e.g., credit reports) or healthcare information (HIPAA), you’ve already drawn a target on your back for potential intruders.
Hackers are looking for any potential way to exploit vulnerabilities in your web applications. They might not be after the data generated within your web app, but rather the data that you’ve pulled from an upstream provider via API. If you’re that downstream data provider, it’s important to vet all of your upstream partners with comprehensive security penetration testing and scanning. With continuously evolving software, you need a solution like HPE Fortify On Demand to schedule quarterly dynamic scans across your vendor software applications.
The prevalence of Restful APIs allows for software vendors to build products integrated with either competing or complimentary software products. It’s a complex web of interconnected data exchanges that could spell disaster for your organization. The media does not always pick up on data breaches. Many companies go to extraordinary lengths to keep data breaches visible to the consumers potentially impacted. You’ve likely received the dreaded email that goes something like this:
“We regret to inform you that our systems were compromised and it is believed that your data may have been accessed. We’ve taken every measure possible to prevent this from occurring again.”