Security Zeitgeist: Unprotected APIs are at high-risk and should be protected by enforcing API Security Policies

API Security

Subscribe to API Security: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get API Security: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Horizontally Scaling Apps that Are Using Websocket Protocol With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate communication between multiple instances by using an additional message broker. Speaker Bio Roman Swoszowski is CTO and VP, Cloud Foundry Services, at Grape Up. He is responsible for developing the overall technology vision of the company with a focus on Cloud Foundry and related cloud technologies. With over 10 year... (more)

API Security: OWASP 2017 RC1 Gets It Right | @CloudExpo #API #SOA #Microservices

API Security has finally entered our security zeitgeist. OWASP Top 10 2017 - RC1 recognized API Security as a first class citizen by adding it as number 10, or A-10 on its list of web application vulnerabilities. We believe this is just the start. The attack surface area offered by API is orders or magnitude larger than any other attack surface area. Consider the fact the APIs expose cloud services, internal databases, application and even legacy mainframes over the internet. What could go wrong? API Security has been added to OWASP Top 10 2017 - RC1. This is a commendable step taken by the web application security thought leaders and is a clear indication of where the industry is heading. Security professionals have all the tools and awareness to fence in applications, databases and legacy systems through firewalls. OWASP has served the security professionals well... (more)

Java Web Services Tutorial | @CloudExpo #DevOps #API #Java #Microservices

Java Web Services Tutorial: Improve App Communication and Flexibility By Eugen Paraschiv Web services have taken the development world by storm, especially in recent years as they've become more and more widely adopted. There are naturally many reasons for this, but first, let's understand what exactly a web service is. The World Wide Web Consortium (W3C) defines "web of services" as "message-based design frequently found on the Web and in enterprise software". Basically, a web service is a method of sending a message between two devices through a network. In practical terms, this translates to an application which outputs communication in a standardized format for other client applications to receive and act on. Web services have been adopted so quickly because they bring several important advantages: Allow communication and interoperability between applications r... (more)

API Security - Four Quick Steps to Lockdown | @CloudExpo #API #Cloud #Security

API Security is complex. Vendors like Forum Systems, IBM, CA and Axway have invested almost two decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is a building block for rapidly locking down APIs. The four fundamental pillars of API Security - SSL, Identity, Content Validation and deployment architecture - are discussed in detail below. Here are four fundamental steps that an enterprise can take to ensure that their APIs attack surface area is significantly reduced. To implement API Security: Enable SSL: One can rapidly protect API traffic by enabling SSL and changing http to https. This is a good first step in protecting the traffic from an API consumer to an API producer, however, the following items should be considered in tightening secure API communication: Check X... (more)

API Security - SD Times Review of OWASP Top 10 - RC1

API Security has finally made it into mainstream security consciousness. The premiere web application security OWASP Top 10 Threats has published its Release Candidate 1 (RC 1). SD Times provided a comprehensive overview on the implications of including API Security as a part of OWASP Top 10 2017 - RC1. Here's an excerpt for SD Times article: The next major addition is Underprotected APIs, since the use of APIs has exploded in modern software, said Williams. There are a variety of protocols and data formats used by these APIs, including SOAP/XML, REST/JSON, RPC, GWT, and others. It’s important to note that these APIs are often unprotected, and they contain numerous vulnerabilities, said Williams. He also added that these APIs represent a “major blind spot” for security programs in organizations, and OWASP is helping to refocus teams on this expanding problem.“To me,... (more)

API Security Lessons from Fisher-Price’s Smart Toy Bear Security Flaw By @RyanPinkham | @ThingsExpo #IoT

API Security Lessons from Fisher-Price's Smart Toy Bear Security Flaw By Ryan Pinkham Earlier this week it was reported that researchers at Boston-based security company, Rapid7, identified several security flaws in an app connected to a new toy from Mattel's Fisher-Price brand. The news of the security vulnerability caught our attention for a few reasons: The name of the toy - Smart Toy Bear - is strangely close to the name of our company SmartBear Software. More importantly, the story caught our attention because the security vulnerability brought up an important reminder about the important issue of security in today's connected world. Luckily, the vulnerability identified by Rapid7 has since been fixed. But the security flaw - which could have allowed a hacker to steal a child's name, birthdate and gender, along with other data - is just the latest example of how ... (more)

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Cloud Expo® New York Early Bird Savings here! More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security. In his session at 14th Cloud Expo, Sachin Agarwal, VP of Product Marketing and Strategy at SOA Software, will walk you through the various aspects of how an API could be potentially exploited. He will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business's digital initiatives. In thi... (more)

Andy Thurai on, “the API – You can’t Live Without It”

The unprecedented explosion of modern technologies combined with a burgeoning mobile space has forced enterprises to rethink previously held beliefs about the static enterprise perimeter. Remember the olden days when you said your enterprise was completely self-contained in one data center, with your apps inside the firewall and with everyone nearly as confident about it as being as secure as Ft. Knox?  With an explosion in mobile computing, demand for cheap or “free” usage of resources, and a sharp reduction in cost with the cloud delivery model,  it is expected (or rather demanded) that every enterprise expose their APIs not only from their enterprise but from a cloud based model. (NOTE:  The cloud is referred to in a  loosely defined delivery model be it —  public, private, community or hybrid variety). Couple this inexorable progression for having a cloud based m... (more)

Protecting API Access with BIG-IP using OAuth

As more organizations use APIs in their systems, they’ve become targets for the not-so-good-doers so API Security is something you need to take seriously. Most APIs today use the HTTP protocol so organizations should protect them as they would ordinary web properties. Starting in v13, BIG-IP APM is able to act as an OAuth Client, OAuth Resource Server and OAuth Authorization Server. In this example, we will show how to use BIG-IP APM to act as an OAuth Resource Server protecting the API. In our environment, we’ve published an API (api.f5se.com) and we’re trying to get a list of departments in the HR database. The API is not natively protected and we want APM to enable OAuth protection to this API. First, let’s try an unauthenticated request. You can see we get the 401 Unauthorized response which is coming from the BIG-IP. In this instance we’re only sending 3 header... (more)

CA Technologies Completes Layer 7 Acquisition

CA Technologies (NASDAQ: CA) today announced it has completed the acquisition of privately-held Layer 7 Technologies, a leading provider of Application Programming Interface (API) security and management. The acquisition of Layer 7 will enable CA Technologies to provide leading security and management technology to the API marketplace that complements its Identity and Access Management suite, including CA SiteMinder®, as well as solutions focused on DevOps including the CA LISA® suite. The combination of CA Technologies and Layer 7 solutions will help customers better secure and manage APIs and deliver confidently and quickly the cloud, mobile and composite applications that run today’s business services. “Just as the Web created business opportunities by redefining how companies interact with consumers and employees, APIs are driving new opportunities by accelerati... (more)

API Security - protecting yourself from being the next breach - Boston API Craft Meetup

Over on ProgrammableWeb, Jennifer Wiggins has written a great round-up of discussion about the Buffer API security breach. Although it happened back in 2013, it continues to be a widely-cited API security issue. As Jennifer mentions, one of the recommendations is to use standards, such as OAuth. Ironically, the implementation of those standards themselves has to be secure. Another good practice is to take advantage of two essential approaches: (a) API Security Testing to proactively probe for vulnerabilities, and (b) an API Gateway to provide protection. API Security testing is an emerging category, and it's one which I'd argue is distinct from its cousin, Web Application Security. API Security testing has been a big interest of mine for a long time - I recall presenting about REST security at OWASP back in (yikes) 2005. Fast forward to today, and Smartbear is a ven... (more)