Security Zeitgeist: Unprotected APIs are at high-risk and should be protected by enforcing API Security Policies

API Security

Subscribe to API Security: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get API Security: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Bracing for the Next Big Cloud Revolution: Finding Value in "Up Stack" Cloud The cloud revolution in enterprises has very clearly crossed the phase of proof-of-concepts into a truly mainstream adoption. One of most popular enterprise-wide initiatives currently going on are "cloud migration" programs of some kind or another. Finding business value for these programs is not hard to fathom - they include hyperelasticity in infrastructure consumption, subscription based models, and agility derived from rapid speed of deployment of applications. These factors will continue to drive cloud adoption into the foreseeable future. Beneath the surface, there is a far-reaching trend playing out with the potential to create an impact far greater than cloud migration programs. For want of better terminology, let's call this the "up stack" cloud revolution. These are essentially "c... (more)

[slides] Security in a Cloud-First World Is Cloudy | @CloudExpo #API #Cloud #Security

Download Slide Deck: ▸ Here Download Slide Deck: ▸ Here Security in a Cloud-First World Is Cloudy Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it's unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. Download Slide Deck: ▸ Here In his session at 21st Cloud Expo, Ben Johnson, Co-Founder and CTO of Obsidian Security, explored how both groups must do more to make cloud more secure, from leveraging AI to improving APIs, to incorporating cloud into current security programs. Download Slide Deck: ▸ Here Speaker Bio Ben Johnson,... (more)

API Security - Four Quick Steps to Lockdown | @CloudExpo #API #IoT #DX

API Security is complex. Vendors like Forum Systems, IBM, CA and Axway have invested almost two decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is a building block for rapidly locking down APIs. The four fundamental pillars of API Security - SSL, Identity, Content Validation and deployment architecture - are discussed in detail below. Here are four fundamental steps that an enterprise can take to ensure that their APIs attack surface area is significantly reduced. To implement API Security: Enable SSL: One can rapidly protect API traffic by enabling SSL and changing http to https. This is a good first step in protecting the traffic from an API consumer to an API producer, however, the following items should be considered in tightening secure API communication: Check X... (more)

[session] Using Websocket Protocol | @CloudExpo @GrapeUpInc #DX #CloudNative #CloudFoundry

Horizontally Scaling Apps that Are Using Websocket Protocol With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate communication between multiple instances by using an additional message broker. Speaker Bio Roman Swoszowski is CTO and VP, Cloud Foundry Services, at Grape Up. He is responsible for developing the overall technology vision of the company with a focus on Cloud Foundry and related cloud technologies. With over 10 year... (more)

[session] Security in a Cloud-First World Is Cloudy | @CloudExpo #API #Cloud #Security

Security in a Cloud-First World Is Cloudy Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it's unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, Co-Founder and CTO of Obsidian Security, will explore how both groups must do more to make cloud more secure, from leveraging AI to improving APIs, to incorporating cloud into current security programs. Speaker Bio Ben Johnson, Co-Founder and CTO of Obsidian Security, is a prominent voice in cybersecurity, having co-founded and been CTO ... (more)

Developer Experience: The Key to a Successful API | @CloudExpo #API #Cloud #Analytics

Developer Experience: The Key to a Successful API By Caroline Ambros User experience is the key to adoption. If no one understands how to use your product, they won't buy it. This is equally true in the world of APIs. Developers are more likely to adopt and stick with a platform or service that they enjoy using. The key to the success of your API, then, is the Developer Experience. But what is Developer Experience? Much like for products that target traditional consumers, the usability of your API is key. Thus, the Developer Experience is the aggregate of all experiences a developer has while interacting with your platform. At the intersection of business, technology and UX, your platform's Developer Experience could make or break your organization's growth in today's incredibly competitive technological landscape. "Good" Developer Experience is all about understandi... (more)

API Security: OWASP 2017 RC1 Gets It Right | @CloudExpo #API #SOA #Microservices

API Security has finally entered our security zeitgeist. OWASP Top 10 2017 - RC1 recognized API Security as a first class citizen by adding it as number 10, or A-10 on its list of web application vulnerabilities. We believe this is just the start. The attack surface area offered by API is orders or magnitude larger than any other attack surface area. Consider the fact the APIs expose cloud services, internal databases, application and even legacy mainframes over the internet. What could go wrong? API Security has been added to OWASP Top 10 2017 - RC1. This is a commendable step taken by the web application security thought leaders and is a clear indication of where the industry is heading. Security professionals have all the tools and awareness to fence in applications, databases and legacy systems through firewalls. OWASP has served the security professionals well... (more)

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Cloud Expo® New York Early Bird Savings here! More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security. In his session at 14th Cloud Expo, Sachin Agarwal, VP of Product Marketing and Strategy at SOA Software, will walk you through the various aspects of how an API could be potentially exploited. He will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business's digital initiatives. In thi... (more)

Java Web Services Tutorial | @CloudExpo #DevOps #API #Java #Microservices

Java Web Services Tutorial: Improve App Communication and Flexibility By Eugen Paraschiv Web services have taken the development world by storm, especially in recent years as they've become more and more widely adopted. There are naturally many reasons for this, but first, let's understand what exactly a web service is. The World Wide Web Consortium (W3C) defines "web of services" as "message-based design frequently found on the Web and in enterprise software". Basically, a web service is a method of sending a message between two devices through a network. In practical terms, this translates to an application which outputs communication in a standardized format for other client applications to receive and act on. Web services have been adopted so quickly because they bring several important advantages: Allow communication and interoperability between applications r... (more)

API Security Lessons from Fisher-Price’s Smart Toy Bear Security Flaw By @RyanPinkham | @ThingsExpo #IoT

API Security Lessons from Fisher-Price's Smart Toy Bear Security Flaw By Ryan Pinkham Earlier this week it was reported that researchers at Boston-based security company, Rapid7, identified several security flaws in an app connected to a new toy from Mattel's Fisher-Price brand. The news of the security vulnerability caught our attention for a few reasons: The name of the toy - Smart Toy Bear - is strangely close to the name of our company SmartBear Software. More importantly, the story caught our attention because the security vulnerability brought up an important reminder about the important issue of security in today's connected world. Luckily, the vulnerability identified by Rapid7 has since been fixed. But the security flaw - which could have allowed a hacker to steal a child's name, birthdate and gender, along with other data - is just the latest example of how ... (more)

Andy Thurai on, “the API – You can’t Live Without It”

The unprecedented explosion of modern technologies combined with a burgeoning mobile space has forced enterprises to rethink previously held beliefs about the static enterprise perimeter. Remember the olden days when you said your enterprise was completely self-contained in one data center, with your apps inside the firewall and with everyone nearly as confident about it as being as secure as Ft. Knox?  With an explosion in mobile computing, demand for cheap or “free” usage of resources, and a sharp reduction in cost with the cloud delivery model,  it is expected (or rather demanded) that every enterprise expose their APIs not only from their enterprise but from a cloud based model. (NOTE:  The cloud is referred to in a  loosely defined delivery model be it —  public, private, community or hybrid variety). Couple this inexorable progression for having a cloud based m... (more)