Code Platoon, a nonprofit coding bootcamp for Veterans, active duty Servicemembers, and military families, is proud to announce the launch of its newly revamped AI Cloud and DevOps Engineering program.
The apps we download from reputable outlets, such as Google Play or Apple's App Store, aren't always what they seem. As recently as September 2019, 172 harmful apps — with an immense 335 million installs — were found to contain issues such as adware, malware, and even credit card phishing.
Ensuring the safety of the apps we use every day is essential. Consumers need to know their app stores are offering vetted downloads. At the same time, personal discretion is essential — knowing not to allow access permissions on a simple flashlight app, for example, is part of technological literacy.
Yet even when common sense is taken into account, developers, consumers, and anyone with a smartphone still remains at risk. When the issue lies in the very APIs an app uses, the publishers cannot tell which ones are risky to download and which ones are safe. Virtually all apps use APIs, sometimes as many as dozens or hundreds.
To understand where the problem lies, we have to look toward where the issue begins — and how to bring an end to these potential risks without sacrificing everything APIs have allowed us to do in the 2020s.
Rise Of The Shadow APIs
If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.
The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.
It's this proliferation that causes security professionals to worry, with Gartner predictingAPIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.
Bringing Light To APIs
Shadow APIs accumulate the same way our homes become cluttered. Gifts and gadgets we no longer need end up on shelves and in closets, rarely (if ever) in use, gathering dust.
The only way to declutter is to get rid of unwanted items. In the same way, app developers need to make an assessment: which APIs are necessary for the application to function?
Taking stock of what APIs are integrated into a release is the first step in reducing risk. Too often, developers overlook the danger associated with having an app's functionality affected by an API that isn't fully vetted or secure.
After discovery, the next step is diagnosis. Rigorously testing and researching APIs to ensure their safety may add time to an app's overall development, yet it's a small price to pay for the ease of mind. The last thing any developer wants is to release an app that is exploitable by a third-party. Such an issue would not only nullify the app's utility, but also bring damage to the company's reputation.
Even as we look ahead to 2020, there are enterprises which believe their security protocols cannot be hacked. With the increasing proliferation of cloud computing, along with the increasing ease of app development, what may be a low-priority risk now can end up becoming a massive problem. Reducing risk today, through identifying and diagnosing potentially harmful APIs, ensures product safety well into the future — while leaving the most useful APIs intact, alongside a company's reputation for trusted security.
Industry News
Salt Security announced the launch of Salt Cloud Connect for AWS, an API security solution to deliver full API visibility and posture governance without the need for traffic data or agents.
CoreWeave announced the launch of three new AI cloud software products and capabilities to help customers develop, deploy, and iterate AI faster.
BrowserStack announced support for Playwright tests on real iOS devices with Safari.
JFrog announced a partnership with TL Consulting, an Australian-based professional services organization specializing in cloud-native, GitHub and Microsoft DevSecOps implementations.
Kusari unveiled Kusari Inspector, an artificial intelligence (AI)-based pull request security tool that brings cutting-edge security risk analysis directly into developers’ daily workflows.
Secure Code Warrior announced the availability of AI Security Rules on GitHub – a free resource to help developers generate more secure code when working with AI coding tools like GitHub Copilot, Cline, Roo, Cursor, Aider and Windsurf.
Mirantis announced a comprehensive reference architecture for IT infrastructure to support AI workloads.
Operant AI announced the launch of MCP Gateway, an expansion of its flagship AI Gatekeeper™ platform, that delivers comprehensive security for Model Context Protocol (MCP) applications.
Oracle has expanded its collaboration with NVIDIA to help customers streamline the development and deployment of production-ready AI, develop and run next-generation reasoning models and AI agents, and access the computing resources needed to further accelerate AI innovation.
Datadog launched its Internal Developer Portal (IDP) built on live observability data.
Azul and Chainguard announced a strategic partnership that will unite Azul’s commercial support and curated OpenJDK distributions with Chainguard’s Linux distro, software factory and container images.
SmartBear launched Reflect Mobile featuring HaloAI, expanding its no-code, GenAI-powered test automation platform to include native mobile apps.
ArmorCode announced the launch of AI Code Insights.
Codiac announced the release of Codiac 2.5, a major update to its unified automation platform for container orchestration and Kubernetes management.