The difference between a web service and an API

This article is the first in a series about digital business security from information security consultant Kevin Beaver.
The information technology industry is notorious for relying on various terms and acronyms to describe what things are and how they work. However, in the end, it's still a confusing litany of words flying around that often create more confusion than they solve. Technical professionals may understand them but that doesn't necessarily translate into what business professionals need to hear. One such example of these terms and acronyms involves web applications in the form of:

·         Web services

·         APIs

Businesses rely on both web services and APIs to get things done; however, the terms are often co-mingled when they shouldn't be. Simply put, a web service runs on a web server and serves up an application over one of the two most widely-used web service protocols: Simple Object Access Protocol (SOAP) and Representational State Transfer (REST).  Web services allow businesses to extend their existing web infrastructure with new applications. It's an endpoint for communications between two separate systems.


User experience should be seamless

On the other hand, an API – short for application programming interface – is a set of calls or functions that applications can use to do something such as create a file, read a database, or modify data entries. APIs can be used for traditional client/server programs, mobile apps, and so on. But in this context, APIs are web application centric. This application functionality runs over a web service. With web services and APIs, you can't have one without the other. APIs require web service endpoints and web service endpoints would be nothing without APIs communicating across them.
Both web services and APIs facilitate the creation, processing, and delivery of information across the web – all in the background. Once established, this interaction allows for the user experience to remain the same. Since transactions are being made behind the scenes, between the web browser and the web sites/applications, there is no user involvement. The application just works as intended and, outside of getting what they want, users are none the wiser.

Transactions are being made behind the scenes

As business needs change, the underlying technologies and communications for web services typically remain the same. What does evolve, however, are the actual services that are made available, especially as they relate to API functionality. Depending on the business-to-business relationship and the needs, one party – often both – may request for new functionality in order to make improvements with the business workflow. That’s simply a matter of making changes to the API or how the web service may need to be configured. Unlike traditional applications, working with web services and APIs can be much more streamlined.


The business benefit is what really matters

Given the small attack surface and more limited functionality of web services and APIs, security flaws are much less common compared to traditional web sites and applications. As with any component of a web environment, both web services and APIs need to be tested for security weaknesses on a periodic and consistent basis. This will involve running vulnerability scanners and performing manual tests on both the web service endpoints as well as the API calls themselves.
Even though the terms web service and API are often used interchangeably, technically there is a difference. What matters is how they can benefit your business by serving up connectivity and applications that might not otherwise be possible.
About the author
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's, Ziff Davis', and Iron Mountain’s He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

Recommended Reading
Why security is so important for web APIs 21 January 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.