Discovering and managing API risks with Baljeet Malhotra: APIs Unplugged

This episode of APIs Unplugged features special guest Baljeet Malhotra, Managing Director of Teejlab. Baljeet started Teejlab to help companies discover APIs they may want to consume, and even discover APIs they are already unknowingly using. Teejlab’s API tooling and API directory help organizations manage the risks associated with the APIs they are considering or consuming. Based in Vancouver, Baljeet is a computer scientist with 15+ years of research and innovation experience working with various public and private sector organizations and customers like SAP, Synopsys, HSBC, IBM, and HP.

You can listen to the episode here:

API discovery has been a hot topic in the industry for many years. Tools, platforms, and standards have emerged to help organizations publish their APIs with the intention of making them more discoverable for consumers. However, there are some areas related to API discovery that have been underserved, especially when viewing the consumption of APIs from a risk management perspective. This was the topic of our conversation with Baljeet, and here are the lessons:

You are likely consuming APIs you don’t know about

Baljeet has a background in open-source risk management. Over the last decade or so, he’s observed a trend where many open-source software solutions are including cloud-based components accessed through APIs. The result is that many enterprises are consuming hundreds or thousands of APIs without even realizing it. However, the API providers are aware of the consumers — opening up the possibility of being billed for consumption or sharing unintended data. According to Baljeet:

“With a lot of enterprises, we are taking them on a journey we took ten or fifteen years ago [when exploring the use of open source]… There is a kind of denial that they do not consume any APIs that might actually pose any risks either from a security perspective or a compliance perspective… The ‘aha moment’ hasn’t happened for everyone, but it is a journey we are experiencing with them.”

– Baljeet Malhotra

Although APIs have simplified and accelerated the adoption of new capabilities, they can open up new exposures, especially when the consuming organization is unaware of their usage.

Using external APIs carries new risks

In Baljeet’s experience, many companies are not doing their due diligence when it comes to API consumption. Either they don’t assess this at all or they have the same team who is responsible for checking open source usage run API consumption through the same process. The problem is that the process is different. APIs include the exchange and potential storage of data, and have other business implications.

“The way that APIs are evolving–the business aspect of that, the technical aspect of that, and the strategy aspect of that — how and which APIs need to be exposed, at what level of granularity and to which partners, is it a free API — this whole notion around strategy and the business is evolving as well. And there are more stakeholders involved than just a developer.”

– Baljeet Malhotra

Baljeet believes there will need to be specialists who can evaluate the business, legal, and compliance risks in addition to technical risks. And API consumers need to recognize that API risk management is a moving target. As opposed to the use of open source, where licensing risks can be set and managed, API providers cannot guarantee fixed terms of service. Laws may change that are beyond the provider’s control. 

API consumers can manage risk

The good news is that API consumers can manage these risks. Step one is identifying what APIs are being consumed. Once those APIs have been discovered, the processes associated with open-source risk management offer a starting point, but you also need to factor in the additional legal, security, compliance, licensing, and even financial risks.

“You want to know, are these APIs secure enough, what are the authentication mechanisms? Are these commercial APIs?”

– Baljeet Malhotra

Another risk area is reliability. Baljeet gives a real-world example of a company who unwittingly consumed an API that created a production outage. This company spent months trying to determine the cause, and ultimately discovered a looping call to an external API at the root. Once again, knowing what APIs you are consuming is the starting point to managing risk.

API providers can help consumers mitigate risk

According to Baljeet, API providers shouldn’t just provide documentation and code samples. There are many other pieces of information you can provide to consumers and prospects to help them mitigate risks.

“You can list where this API will be hosted in advance. For example, when you make a live call to an API, you do not know where this call will be routed. You may have a URL that you see, but that does not tell you where the API [is hosted].”

– Baljeet Malhotra

Giving this type of location info will help consumers weigh compliance potential for data sovereignty and data residency, as an example. Other information useful to share include rate limits and other terms of service. Even if commercial terms are not known in advance, it’s good to signal intentions in that area so consumers are not unpleasantly surprised down the road.

These are just some of the highlights of the discussion, but we encourage you to listen to the whole episode to learn more! Follow the podcast on SoundCloud or subscribe to our newsletter above to get summaries of the episodes.



We'd love to hear your opinion on this post