As more enterprises engage in their digital transformation, they are connecting their application through APIs. APIs have long been the connective tissue between, and among, software applications. Because they enable business-critical transactions, it is critical that they be both highly accessible and usable, as well as being secure. As enterprises demonstrate increasingly broad and deep digital reach, their value becomes more closely tied to how effectively, and securely, they can manage these API transactions and use.
The same security risks we see with traditional software applications apply to APIs but because APIs operate with an emphasis on intermediary operations, there is a greater surface functionality that connects with multiple back-ends. In other words, APIs work with, and process, more data than any single application. Those interactions happen not just at the application layer, but also in the DMZ, and behind your enterprise firewall. You have to take care not to expose back-end data, architecture, or applications to hacks. Having security precautions at different points on the application continuum is helpful, but it also means that attention needs to be paid in different ways, and in different ways, so that the application data can still communicate to deliver the intended user experience.
To understand how to plan and prepare your APIs and your digital business to avoid threats, hacks and other unintended consequences, we have provided a roadmap of our resources that can help you become more educated on API security. Security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security, With a review of these items, it’s our hope that you can begin to develop a framework for how to ensure API security for your business:
API Security Framework:
API Security Overview: API security and management go hand-in-hand, and this overview explains how enterprises can shape their business models to address the new digital economy by preparing their APIs for consumption in mobile applications, cloud applications and Internet of Things (IoT). We provide a guide for how APIs can connect enterprises with mobile apps and a large community of developers, and we emphasize that APIs also need to be scalable, reliable, and most importantly secure.
API Gateway – Security Elements: Enterprises want to quickly and cost-effectively develop, secure, manage and monitor their APIs in an increasingly connected world by securely and rapidly connecting applications across platforms, devices and channels. This piece explains how that gets done.
API Security: Securing Digital Channels and Mobile Apps Against Hacks (recorded webinar): In this webinar, we will walk you through the various aspects of how an API could be potentially exploited. We will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business’s digital initiatives.
The State of API Security
API Security: A Guide to Securing Your Digital Channels (whitepaper): The purpose of this paper is to help you understand the necessary components of a well-constructed API security strategy. First it takes you through API risk assessment discussing the various attack vectors that could potentially make your API vulnerable. Then the paper talks about risk mitigation strategies that API providers can put in place to prevent API hacks.
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3 (recorded webinar): Recently revealed vulnerabilities in SSLv3, OpenSSL and other cipher suites may expose your transactions or APIs over web browsers, web servers or HTTPS to new threats. This webinar can help you learn HTTPS configuration best practices and tools to harden your HTTPS endpoints with right protocols and cipher suites.
Key Findings from The Global State of API Security Survey 2015 (whitepaper): Akana works with many clients worldwide who are concerned about API security issues. To help them and the broader industry gain a better understanding of the state of API security, we conducted a survey of 1,200 IT professionals on the subject in May, 2015. The respondents came from a range of industries and organization sizes. The survey reveals, perhaps not surprisingly, that API security is an identified risk for many IT departments and business managers.
Understanding OAuth (whitepaper): OAuth arose out of the process of improving the OpenID standard at the Internet Engineering Task Force (IETF) to solve the problem of secure access to multiple systems on behalf of a single client. This paper illustrates how OAuth works using simple use cases. It delves into the history of OAuth and contrasts it to OpenID, a comparable but different method commonly used for authentication. Then, this paper takes a look at a more complex enterprise use case and discusses how an API management solution can help facilitate the effective use of OAuth in the context of corporate computing.
Thoughts from Security Influencers:
API Security is Gaining Maturity, But Don’t Get Complacent (blog): Akana explains how digital businesses use API security tactics and what their plans are for the coming future. Sachin reviews our recent CXO security report and draws some insightful conclusionsn about securing transactions in both public and private clouds.
Mitigating the Top Five Common API Weaknesses (blog): Akana’s Ryan Bagnulo looks at the most common issues concerning API security, and explains how they can be addressed. From identity theft, to malicious code, and even issues with authentication/authorization, Ryan helps guide the reader through real-life issues and how to handle them to keep your business safe.
Top 10 Security Terms for API Developers (blog): My previous blog describes the main terms you need to know.
API Security Resource Guide (blog): My previous security resource guide with other security elements not described above.
The Science of APIs in a Mobile World – Security, Control, and Quality (recorded webinar): API providers need to monitor their APIs to make sure they are meeting their service level agreements, and protect against attacks. However, to get a full end-to-end understanding of the API consumer experience, an external monitor is needed to simulate how consumers are using and experiencing your APIs. This webinar examines the issues inherent in managing and monitoring APIs from both the provider and consumer sides, including getting on top of security, quality, and control.