I am interested to work with a startup, they want to connect to my store via an API. Whilst I already use some APIs, the ones I use are already on the shopify app store, so I trust that Shopify has done due diligence on the providers.
However I am cautious about using an API from this start up (its a friends business), should I be concerned about security of this API. How do I go about mitigating the risk, if there is one? The risks I am concerned about are general functionality of my shopify store and customer data and if I should be concerned about anything else?
I'm not sure if a 100% understand the exact scenario you are outlining, but if your friend's company provides an app that can plug into your own Shopify shop then I assume it's published on the Shopify App Store, correct? If so then when it's going through the installation routine you should see an authorization screen. Where you (as the logged in Shopify shop user) can review what types of data records the app will have access to. Review that list and see if it looks okay to you. If it does, install the app. If it doesn't then I wouldn't install it.
If you are talking about your friend's company will furnish their own API (not a public app, but just a series of URI endpoints) for providing data, then the API should have some sort of token-based authentication. So that not anyone/everyone can just gain access.