It's open season on web APIs. Mash all you want—we'll make more. If it ain't open, then it ain't happening. It is like the digital equivalent of the 60s. Everything old is new again, and everyone is so busy trying to make things work that thoughts about security fall somewhere between, "How do I make money?" and "Help, I've been hacked!"

In this chapter I will discuss the evolution of web APIs and how they work. I will take a look at some of the major security issues—such as lack of trust and authentication—involving mashups. I will also try to explain what the worst is that can happen, and how to balance accessibility and security. So, hang on, we have a lot to mash up.

The term mashup came from the recording industry. Artists began mashing up pieces of other artists' work, smashing little samples collected from all sorts of different songs into new compositions, thereby making the masher an artist in her own right. Now apply the same idea to the Internet.

Developers have been chomping at the bit to do this sort of thing for years, but the technology was proprietary and too complex. But now the technology bar has been lowered. The advent of technologies such as XML and SQL along with programming languages such as Java, C#, PHP, Python, and Ruby on Rails (just to name a few) have made it easy to create highly dynamic Internet applications.

The advent of the open API made mashups easy to build. They are easier to build than regular applications, and their parts are ...