Nearly every decent web site and application will have an application programming interface (API) of some sort. This may simply be another interface into the applications most advanced administrative controls, controls which perhaps are used by only 5% of users and would clutter up even the most clearly designed user interfaces. To make those controls open to end users, they have traditionally been exposed in a programmatic manner, that only deep technologists would look at or need to use. In addition, those API's were probably only ever exposed to private internal networks, where their protection from a security perspective was probably less of a concern.
By Security Professionals for Security Professionals