Sergey Nivens - Fotolia
How important are APIs? According to a recent Deloitte University Press report, we are in the midst of a revolution, with the number of public APIs doubling over the past 18 months, and more than 10,000 published to date. The API economy, in which companies such as Salesforce.com, Amazon Web Services and many others generate revenues by exposing APIs as business building blocks, has swept across a wide range of industries and is even penetrating government.
In essence, APIs are another way to do more with less -- extending application functionality and data in new and flexible ways to Internet-connected devices and services. This is particularly true of organizations where the Web is central -- Twitter, for example. But this revolution also contains the seeds of its own destruction in the form of APIs that are unsecured; potentially posing serious risks to information and enterprise security.
Windows to the application architecture, APIs document various object structures and reveal how data is handled. And that gives hackers a lot of clues they can use to launch attacks.
“In contrast to conventional Web apps, with layers of functionality such as presentation graphics between the outside world and the internal application, APIs are a much more direct connection,” says K. Scott Morrison, senior vice president and distinguished engineer at CA Technologies in Vancouver, British Columbia.
APIs provide a great opportunity for organizations to begin to integrate systems and data. However, decision makers need to think hard about the impact of doing that and the unintended consequences. “The consequences can be anything from revealing information that shouldn’t be shared to simply leaving unwanted tracks on the Web,” Morrison says. APIs may end up exposing customer data with implications we don’t yet grasp; for example, the “ownership” of data describing someone’s location at a particular time or the setting on a thermostat is unclear. Enterprises want to have some control over that. API security is a place to start.
To ensure applications and data are as safe as possible, CIOs and development team leads need to consider what internal data to protect, and what functionality and data the organization is willing to expose right from the start, advises Merritt Maxim, senior analyst for security and risk at Forrester Research Inc., in Cambridge, Mass. Development of a public API should be accompanied by a risk assessment that considers all the systems that the API could affect, how a breach might impact the organization, and what controls and policies would be needed to prevent a breach or to minimize damage.
Gateways and API management
Organizations have begun to find ways to better manage APIs, and this is a foundation for improved security, according to Maxim. Some of this is accomplished through reformed practices or point products. But a big part of the response has been the adoption of API management platforms and gateways, which can be implemented either in hardware or software.
API management products not only often include a gateway function, they also serve up additional features such as authentication, analytics, hosting and billing options. The products are available from a wide range of vendors including 3scale, Akana (formerly SOA Software),Apigee, Axway, CA Technologies, IBM, Informatica, Intel Services, MuleSoft, Tibco Software and WSO2.
“The concept is that a gateway can serve a number of functions such as traffic monitoring, security and failover, which is important for APIs that get a lot of hits,” Maxim says. However, a gateway can also serve a secondary function, in terms of providing API monitoring, tracking access, and auditing it to provide input and alerts to a security team about how the APIs are being used.
Developer leverages high school English lesson in API design
- E-Guide: Best practices for pen testing Web applications –SearchSecurity.com
- Secure Web Gateway Overview: Implementation Best Practices –SearchSecurity.com
- Methods & best practices to reduce application security risk –TechTarget
- Mobile Application Security Best Practices to Protect Corporate Data –SearchSecurity.com