Friday, 04 December 2020 13:18

Achieving effective API security in a rapidly evolving world

By Andrew Latham, Ping Identity
 Andrew Latham, Asia Pacific Technical Director, Ping Identity Andrew Latham, Asia Pacific Technical Director, Ping Identity

GUEST OPINION by Andrew Latham, Asia Pacific Technical Director, Ping Identity: As the number of mobile and web apps being used by businesses and consumers continues to grow, ensuring they remain as secure as possible is a constant challenge.

Such client-side apps interact with centralised servers via an Application Programming Interface (API). In essence, APIs make it easy for a developer to create a client-side app without needing to change anything on the server.

However, because they’re often available over public networks, APIs are typically well documented or easily reverse-engineered. Also, because they are highly sensitive to denial of service (DDoS) type attacks, APIs are attractive targets for cybercriminals.

For this reason, ensuring effective API security is vital and must be a high priority for any organisation making use of them within their IT infrastructure.

APIs come in a variety of forms and sometimes the style of an API affects how security is applied to it. For example, before web APIs, the standard style in use was SOAP Web Services (WS). During the service-oriented architecture era from 2000 to 2010, XML was ubiquitous, and a rich set of formal security specifications were widely recognized for it. 

Meanwhile, the SOAP style of security is applied at the message level using digital signatures and encrypted parts within the XML message itself. Decoupled from the transport layer, it has the advantage of being portable between network protocols, however it has fallen out of favour and is mostly encountered only with legacy web services.

Representational state transfer (REST) became the more common API security style over the past decade. REST is often assumed by default when the term “web API” is used. A fundamental convention of the REST style of APIs is that resources are uniquely identified by HTTP URIs. This predictable aspect of REST APIs inspired a generation of access control methodologies in which rules are associated with the URI (resource) being accessed.

Yet another API style is GraphQL, an emerging open-source API standard project. GraphQL is popular with front-end developers because it puts them in control. They’re no longer restricted to a fixed set of API methods and URI patterns but instead get to customize their queries in whichever ways best suit their applications and context. Because of this added control—and additional benefits like non-breaking version upgrades and performance optimizations—GraphQL is on its way to becoming omnipresent among web APIs.

While GraphQL isn’t a substitute for REST, and both API styles will continue to co-exist, it’s an increasingly common choice. In fact, its popularity is threatening to disrupt a decade of web API access control infrastructure. This disruption centres on one major divergence from the popular REST pattern: GraphQL requests do not identify the data being accessed via the HTTP URI. Rather, GraphQL identifies the data requested using its own query language, typically embedded inside an HTTP POST body.

Layers of API Security

Because of the large number and diverse nature of APIs, maintaining effective security is challenging. There are a range of layers that need to be considered to ensure that protection levels are achieved and maintained at all times.

Firstly, it should be remembered that you can’t secure what you’re not aware of, and there are many obstacles that prevent security staff from having full visibility into all exposed APIs. There may be API silos in place which affect visibility by having partial lists of APIs under disconnected governance.

Another obstacle to API security is the rogue or shadow APIs. These happen when an API is developed as part of an application but the API itself is considered an implementation detail of the application and is only known by a close-knit group of developers. Shadow APIs are not on the radar of security operatives because they don’t have visibility into the implementation details.

A third challenge is that APIs go through their own lifecycle. Each evolves over time, with new versions emerging. An API may even be deprecated but still continue to operate for a temporary period for backward compatibility and then be forgotten or gradually fall off the radar because they receive very little traffic.

API discovery is a race between API providers and hackers who will easily exploit vulnerabilities when they are found. To discover your APIs before an attacker does, one option is to mine API traffic metadata. This data is extracted from API gateways, load balancers or directly inline of network traffic and then fed to a specialised engine which reports on an effective list of APIs. This can then be compared with catalogues of APIs that are available via an API management layer.

Being aware of these challenges is a vital part of achieving effective API security. Take the time today to discover and review all APIs being used within your organisation to ensure that vital applications and data stores remain safe at all times.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments