Australian energy company Jemena has been using APIs, in some form, for about a decade. Its use of APIs — application programming interfaces — has jumped recently and is expected to increase fivefold over the next couple of years. “We’re quite early in our journey,” says Daniel Gordon, the company’s cybersecurity architecture lead. “Now everything is API first, versus maybe an afterthought.”
Jemena is using APIs to share information with business partners and in customer-facing applications, Gordon says. “Even market operators and regulators are moving toward APIs. There’s been a clear acceleration in the last year — the API-ification of everything.”
Gordon sees this as creating new security concerns for the company. The thing about APIs is that they’re designed to provide efficient access to data. If an attacker is able to compromise an API, they could potentially exfiltrate massive amounts of data in a very short time.
The traditional approaches to web application security, which focus on preventing access by bots, don’t apply to API security since, by definition, all API requests are machine-to-machine. “We don’t have so much of a bot problem as a potential data leakage problem. That’s what we’re most worried about — unfettered access to data,” says Gordon. “Being an energy company, we hold a lot of personal information.”