Money Mule(Soft): Salesforce Acquires API Integration Company for $6.5 Billion

Well, it has happened again.

Another tech behemoth has made a massive acquisition to bolster its cloud presence – this time in the most expensive cloud software deal in history.

Last fall, it was Google gobbling up Apigee; this week, it’s Salesforce subsuming MuleSoft.

Alliteration aside, what’s the significance of this latest deal, both for the broader industry and for Forum Systems’ customers and partners?

For the former, it’s a(nother) strategic maneuver by an industry heavy hitter in the hotly contest cloud computing arms race. For the latter, the news is further evidence that security – once again – appears to take a back seat, this time to integration.

So, with apologies to Roger Daltrey and The Who, “meet the new boss, same as the old boss.

Reaching a Milestone

2017 was a watershed year for API (in)security. Several high-profile companies, including Instagram, Circle Media, and Wishbone, were either exposed by API-related vulnerabilities or were the victims of API-oriented breaches.

Unfortunately, thus far in 2018, API (in)security continues to make headlines with incidents involving Coincube and Reddit/Mailgun, and the vulnerability of Roku.

APIs, Have You Met Security?

As we advocate and have recently written about, APIs are the cornerstone of the modern computing era. IoT, cloud, mobile – these platforms are all enabled by the ever-expanding global network of APIs.

APIs are powerful, but they’re also inherently vulnerable. And the industry benefits from further education about security’s foundational role. After all, you can’t have best-in-class integration without best-in-class security, right?

That’s why we’re grateful for the work being done by the OWASP community. Inclusion of “Underprotected APIs” in the OWASP Top 10 – 2017 was a huge step in the right direction.

And as we noted in the SC Magazine UK piece referenced above, 9 of the 10 vulnerabilities in the final edition of the OWASP Top 10 include API components of some kind.

Now that’s progress.

Netflix and…Hack?

Relatedly, Netflix also caught our eye this week. On Wednesday, its security team publicly launched a bug bounty program to encourage – and incent – the global research community to find vulnerabilities.

As the company noted, the goal of its bug bounty program is “to continue improving the security of our products and services while strengthening our relationship with the community.” Notably, in addition to cross-site scripting (XSS) bugs, remote code execution, business logic flaws and SQL injections, Netflix solicited help identifying API vulnerabilities.

It’s refreshing to see API security spotlighted among the more traditional, well-known flaws. Let’s hope other industry leaders follow Netflix’s model.