API Academy

Sponsored by Layer7

A person holding a tablet in their hand.

A Digital Transformation Overview and API Security

By Bill Oakes, CISSPPosted on

We know that in the software business, experience is everything.

83% US consumers said that having a positive customer experience with a brand is more important than the actual product. And we all know that making customers happy today can be tricky. They’re very sophisticated, with high expectations, and they want to make an emotional connection with your brand.  You need to consistently design digital experiences that are easy, adaptable to change with customers’ needs, and provide real value. Most importantly, the experiences that customers have with your brand need to make them feel good. 

 Customer experience has been described as the next competitive battle ground. Getting it right may be one of the most important things you do—and one of your biggest challenges. We’ve learned that winning companies focus on four key principles: Agility, Automation, Insights and Security.

 Following these four principles ensures that your company is ‘built to change,’ and adapt successfully to the increasing turbulence caused by the rapidly accelerating pace of change.

And there’s a rub.  The software world today is largely built on large, monolithic applications.  They work flawlessly, if designed correctly.  BUT….they’re cumbersome  to maintain, requiring substantial process to maintain.

But the world doesn’t stand still….and new clients regularly emerge.  Think of mobile, and what it takes to integrate that into today’s monolithic applications. And the mobile workforce, to be productive, MUST have access to legacy apps and data.  This is the challenge. So what’s emerged in the last few years is migration to an API-centric strategy.  This approach makes it FAR easier to improve agility as new clients or technologies are put in place.  It also allows enterprise to build an ecosystem of partners, improving integration and logistics. And it allows the mobile workforce to be far more productive, accessing/updating corporate data/services.

And now, what’s emerging is microservices – replacing monolithic applications with modular apps that are designed to do specific tasks.  The end result is the same, but application maintenance overhead is drastically reduced. It also means that new technologies can easily be integrated, and  emerging technologies like IoT and the Industrial Internet can become part of the ecosystem. At the end of the day, though, digital transformation is enabled by the architectural platform.  As your customers look to support the app economy, we believe there are four areas that need to be considered:

  • Speed to revenue
  • creating a better CX
  • Reaching a larger potential customer base
  • Creating an architecture that can support and integrate new technologies

With full API lifecycle management, you can efficiently plan, design, publish, secure, scale, consume, and monitor APIs. Instantly design, build and orchestrate secure microservices and accelerate development and integration of mobile apps and IoT devices. Create modern APIs and microservices from existing data assets. This will enable new technologies to integrate with your data. Integrate and orchestrate across apps and silos.  With a monolithic solution, this is difficult.  With APIs and microservices, it’s far easier to enable. Secure and authorize data exposed via APIs, users, and devices.  We’ll talk more about this later. And finally, optimize processes and performance across the entire API lifecycle.  We talked about insights before – strong analytics is how you get there.

In a recent Forrester Research study of US business influencers and decision makers, top priorities were highlighted:

  • Improve the experience of our customers
  • Improve our products/services
  • Address rising customer expectations
  • Improve our ability to innovate
  • Reduce costs
  • Increase influence and brand reach in the market

What these priorities have in common is that, when the rubber hits the road and investments are made, the most common approach to tackling these challenges is to launch a digital transformation project. 

APIs, provide connectivity between critical enterprise information – invaluable data about products, prices, customers, situations, and behavior – and any device, app, or thing that’s connected to the Internet

In effect, they are the connective tissue between the disparate applications that make up a digital ecosystem

In a world where we now count the number of connected devices in the tens of billions, and growing rapidly, it’s simply impractical to reach them all without an abstraction layer that provides a safe, convenient, and scalable way to expose business capabilities.

That’s where APIs come in. We call them “the building blocks of digital transformation Let’s look at a simple example. When you go to a typical application running on the web, let’s say a weather site, you’re utilizing a common framework – a browser – to get information.  Data is passed back and forth from the web server, and your computer uses its processing power to render a customer experience. This was a great model 15 years ago, when you could count the number of device form factors in one hand. But fast forward to today, and it’s a different scenario. Rendering a desktop browser experience on a phone is NOT going to be a great experience for the consumer – there would be significant UI and performance issues – passing that much information over a bad data link would be pretty painful! And trying to optimize presentation on the server side isn’t a great solution either – although it works quite well if you’re responding to a handful of, say, phone and tablet sizes, what happens when your data needs to be consumed by a watch, or a car, or a thermostat, or even another application in the cloud. So let’s throw that model away – at least for the world of mobile and IoT – shall we?

Let’s bring APIs into this solution. As an abstraction layer, they allow businesses to remove the browser from the mix, as well as shield complex systems of record behind something that is much simpler for front-end developers to work with. These app designers can focus on presentation – optimizing the user experience for THAT device and THAT CPU and THAT screen size – while effectively having the integrated data and transactional capabilities they need at their fingertips.

The end result is a better experience and higher performance for customers, and more efficiency, manageability, and scalability for businesses. This efficiency manifests itself as more agility and speed when it comes to taking advantage of emerging technologies, and creating new apps for say, wearables. It also creates the ability for businesses to monetize data in new ways, and reach new markets – in this example, selling data that can be embedded in other applications, even operating systems.

Finally, as more devices become connected in the IoT, APIs allow enterprises to make their physical products better, smarter, and stickier to consumers.  Let’s face it….the Nest thermostat is cool.  Amazon Alexa is cool.  Heck….even Siri, Cortana, and Google Assistant are cool…and convenient. Cool, cost savings, time savings, convenience – these all drive digital transformation acceptance.

Agility.  Automation. Insights. Security.  The four corners of digital transformation.  That last corner – security. By focusing on security from the start of the dev process, you can make it a killer feature, an integral part of your dynamic, insightful, and responsive security strategy. Making identity your new perimeter opens your business up so users, employees and partners can access the data they need while actively ensuring maximum data protection and regulatory compliance. You can protect privileged user accounts—the keys to your kingdom—by monitoring and auditing access across the enterprise in a way that doesn’t impact user experience.

Let’s take a look at some headlines…

  • Snapchat:  In Dec 2013 SnapchatDB released a database of 4.6 million usernames and phone numbers. It could be argued that Snapchat is “just†a consumer service. But this kind of exposure could have easily involved credit card details, health records, or social security numbers.  This was through the reverse engineering of their private API and the find friends exploit could snapchatDB could harvest the database.
  • Yahoo:  Shellshock related attack targeting vulnerable shellshock servers.  Luckly they didn’t contain user data but instead live game streaming servers
  • Moonpig:  Moonpig is one of the most well known companies that sell personalized greeting cards in the UK. In 2007 they had a 90% market share and shipped nearly 6 million cards. In July 2011 they were bought by PhotoBox.
  • Delmara:  Insecure Direct Object References (IDOR) vulnerability.  By changing the customer ID any account can be accessed.
  • Tesla:  The REST API that connects it’s iOS app enabling remote car functionality could be hacked resulting in not only privacy concerns but safety – its low complexity allows for brute force techniques.
  • OneLogin:  JUST happened last week.  A threat actor came in through an AWS API that wasn’t effectively secured – 12 million users had their information exposed for a short amount of time.
  • And this last one…..Tesla’s hacked pw was pretty miniscule compared to a couple of others….
  • Connected cars:  both Jeep and the Nissan Leaf suffered from vulnerabilities – in both cases, because the “cool†factor outweighed the whole “make sure the car is kinda sorta secure†thing. 

In the Leaf’s case, Software developers chose to use the vehicle’s VIN as the method of tying the Leaf app to a specific vehicle.  What this meant is that anyone could download the Leaf app from the appropriate app store, obtain the VIN of the targeted Leaf, plug in the VIN, and take over many of the vehicles key functions. Luckily, the VIN is difficult to obtain.  Unless you are standing by the drivers door looking at the lower left corner of the dash through the windshield.  Ooops.

And we’ll wrap up “we don’t need no stinkin’ API security†stories with a recent one….the Pokemon Go app has an API that functions as the access point of all programs in accessing the database and programming algorithm of Pokemon Go. This access point allowed other programmers in creating apps that access that database, ranging from an Individual Value calculator to nearby Pokemon scanners and bots.  Note that  while Niantec never published an open API…but industrious developers out there reverse-engineered their API and used it to build 3rd party apps like Pokevision and FastPokeMap.

Due to the volume of third party apps accessing the servers of Niantic, and the processing power necessary to address the requests, down times and server side issues occurred. To address this, in early October Niantic changed their API so that these applications cannot access the server anymore. But after almost a week, developers again cracked the new API by reverse engineering the source codes and finally gain access to the new API. What Niantic needed, and didn’t have, was an API gateway protecting their core business.

A hardened API Gateway is a key component of any API Management solution, and should be able to:

  • Provide policies to protect against web-based threats and OWASP vulnerabilities
  • This means providing protection and threat detection for key OWASP vulnerabilities such as SQL injections, cross-site scripting, and denial-of-service attacks.  While auth is crucial (and we’ll about that more in a sec), your API Management solution MUST provide this level of protection
  • For those of you not familiar with OWASP, it’s a valuable organization with an important mission. The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization, with a mission to make software security more visible, so that individuals and organizations worldwide can make informed decisions about true software security risks
  • Control access with SSO and identity management
  • Having a secure system-to-system connectivity while maintaining UX convenience. Build a trusted ecosystem that encompasses all applications whether internal or in the cloud
  • And when I say secure, I don’t mean just mobile.  I mean your infrastructure.  You need an API Management solution that can handle authentication, authorization, and accounting between desperate systems ranging from legacy to modern and maintain a cross federation auth
  • And extending this, your API Management solution should provide end-to-end security for apps, mobile, and the IoT. This means protecting the entire software chain from app to API to connected devices across the IoT
  • Secure access for all touchpoints such as automotive and wearables while providing convenient features such as social and proximity login.

This is a huge sore point now with security officers, and it’s going to get much worse with the emergence of the IoT. API management needs to extend beyond traditional clients, and need to embrace emerging IoT standards such as MQTT, and, in fact, this extension has already begun. By surfacing new functionality that is relevant to app developers such as in-app messaging, pub sub and local storage, removing the onus of learning security protocols from the developer, and by embracing and extending standards, you  enable better security, better integration, and fosters innovation.  The end result is extending security beyond just mobile, and include the IoT.

With this level of integration, this would mean that I can now:

  • create secure collaborative applications and address books
  • secure messaging between users, applications and devices
  • Build apps that handle sensitive data – and dynamically build, store, and delete that sensitive data securely
  • and build secure apps that allow for secure consumption of IoT data across industries

And with that, I’ll I wrap up this close to TL;DR blog with a parting thought…

A multi-disciplinary team at Forrester encompassing both app dev & delivery (IT side) and channel strategy (business side) come up with a pretty strong statement….that “APIs are perhaps the most critical technology in digital business design.â€

My add-on to that is that there’s no excuse to fail to secure those APIs – no one wants to be the engineer at Nissan that went “oops†after the Leaf debacle was recently exposed.