I submitted an entry on IdeaExchange today about adding more authentication to the API to avoid rogue applications/people from wreaking havoc in your system and to provide a means of tracking the applications that modify your data.
Someone with average programming skills could cause some destruction via the API if they wanted to and I think some mechanism of locking it down further would be good. Also, since so many applications will be accessing/manipulating data via the API, it’d be good to limit what an app can do (e.g. only access specific objects, read vs. write) and also to track the application that is making changes to records. It’s like having application-specific profiles. When a user logs into Salesforce via a external application, they only get the permissions where their user profile and the application’s profile match (maybe they have delete Account rights in their user profile, but the application profile doesn’t allow deletes. They won’t be able to delete Accounts when using that application).
I don’t have the design all figured out, but it’s the idea I wanted to get across. I am interested in what you all think. If you have an opinion (agree or disagree), please add your comments to the post on IdeaExchange.