API Academy Create a framework to address the complex challenges associated with implementing OAuth There are a number of important access-related challenges for API publishers. However, deploying OAuth as an authorization mechanism for enterprise APIs raises challenges around scalability, correct usage and integration. To make matters worse, OAuth is not supported by existing infrastructure and is poorly understood…
Category: API Security
Protecting Your APIs Against Attack & Hijack
API Academy Secure enterprise APIs for mobile, cloud and open Web It is a mistake to think we can secure APIs using the same methods and technologies with which we secured the conventional, browser-centric Web. While it is true that APIs share many of the same threats that plague the Web, APIs are fundamentally different from Web sites…
Applying and Extending DHARMA
This post gives some practical examples of the DHARMA method for API Security in a Microservice Architecture, and also shares some opportunities for extending the model. This article shares concepts from the O’Reilly book Securing Microservice APIs. If you’re attending OSCON next week, Rob Wilson and Matt McLarty will be signing and giving away print copies during lunch on Tuesday, July…
How the facebook API led to the Cambridge Analytica Fiasco
How weak API terms of service, lack of transparency, and permissive API scopes led to the Facebook-Cambridge Analytica scandal The Facebook-Cambridge Analytica data scandal from earlier this year was not about a data breach. Nothing was hacked. It was more nuanced than that. Think: permissive API scopes, a lack of awareness about the data being accessed via your friends,…
Securing Microservice APIs
Matt McLarty, Rob Wilson & Scott Morrison Sustainable and Scalable Access Control There are several techniques for controlling access to web APIs in microservice architectures, ranging from network controls to cryptographic methods and platform-based capabilities. This short ebook introduces an API access control model that you can implement on a single platform or across multiple platforms to provide…
API Management 301: OAuth-Based Access Control
Learn how OAuth provides standard patterns upon which you can deliver API access control In API Management Lesson 201: API Security, we examine typical areas of API vulnerability and share best practices for addressing these vulnerabilities – including the use of OAuth as an access control mechanism. In this lesson, we describe how OAuth provides standard patterns upon which…
API Management 201: API Security
Identify typical areas of API vulnerability and learn best practices for securing APIs In Lesson 103: Choosing a Solution, we discuss the importance of considering functional and operational security characteristics when choosing an API Management solution. Regardless of the solution, understanding the risk profile of APIs is vital to protecting an API against attack. In this lesson, we examine…
API Strategy 201: Private APIs vs. Open APIs
One of the key considerations that should guide both your API business strategy and your interface architecture is the distinction between open and private APIs. An interface is defined as open or private depending on whether it targets external or in-house developers. In this lesson, we explain the distinction in detail and explore ways it may impact your…
The Internet of Things – Today
A quick intro: I’m Bill Oakes, I work in product marketing for CA and I was recently elected to write a regular blog about the business of APIs. I’ve been around the block over the years – a coder, an engineer… I even wrote a BBS once upon a time (yes, I’m pre-Web, truly a dinosaur – roar!) But now…
Cyber Security Awareness Month & the Internet of Vulnerable Things
Did you know that October is National Cyber Security Awareness Month in the US? While I usually emphasize the enormous potential of the Internet of Things (IoT), let’s use the occasion to look at the security risks of the Internet of really vulnerable things. Over the last couple of months, a casual observer could have noticed a variety of security scares…