Awareness Is the Main Issue With API Security: Q&A With Erez Yalon, Checkmarx

Updated: May 14

ABI-based apps are significantly different than a traditional application. Thus, they require a different security approach. To dive deeper into API-based application security and how companies can adequately protect their API-based applications, we sat down with API and AppSec expert Erez Yalon, head of security research at Checkmarx. In addition to his day job, Erez is one of the project leaders for the OWASP API Security Top 10 and co-founder of AppSec Village at DEF CON and RSA Conference.

Q: What is an API-based application?


Although it may look the same from a user’s perspective, an API-based app is significantly different than a traditional application. In the past, users would access a web server via a browser, for example, and most of the “data processing” was performed on the server itself. As client devices became more varied (browsers, different smartphones, IoT and smart devices, bots, b2b service), and increasingly powerful with faster CPUs, extensive memory, more bandwidth etc., much of the logic moved away from being performed on back-end servers to the front-end (i.e. on the client device itself). In the modern application, the downstream server acts more like a proxy for the data consumed by the API-based app. The rendering component in this instance is the client who consumes the raw data, not the server itself.

A good example to illustrate this concept is an airline mobile app. The app is interacting with the user, allowing them to specify travel dates, departure and arrival cities, seat selection, and purchase options. In turn, The app uses a series of API calls that are interacting with back-end servers primarily to retrieve data about flight schedules, availability, pricing, seats, etc. In this case, the smartphone’s app is performing the rendering of the data into an easily readable screen. A different client like a tablet app, a browser, or a software of a travel agent, would use similar API calls to retrieve similar data, but it will be rendered differently to fit the use and the client.

Q: Why are API-based applications vulnerable?