Security Zeitgeist: Unprotected APIs are at high-risk and should be protected by enforcing API Security Policies

API Security

Subscribe to API Security: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get API Security: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Java Web Services Tutorial: Improve App Communication and Flexibility By Eugen Paraschiv Web services have taken the development world by storm, especially in recent years as they've become more and more widely adopted. There are naturally many reasons for this, but first, let's understand what exactly a web service is. The World Wide Web Consortium (W3C) defines "web of services" as "message-based design frequently found on the Web and in enterprise software". Basically, a web service is a method of sending a message between two devices through a network. In practical terms, this translates to an application which outputs communication in a standardized format for other client applications to receive and act on. Web services have been adopted so quickly because they bring several important advantages: Allow communication and interoperability between applications r... (more)

[session] Security in a Cloud-First World Is Cloudy | @CloudExpo #API #Cloud #Security

Security in a Cloud-First World Is Cloudy Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it's unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, Co-Founder and CTO of Obsidian Security, will explore how both groups must do more to make cloud more secure, from leveraging AI to improving APIs, to incorporating cloud into current security programs. Speaker Bio Ben Johnson, Co-Founder and CTO of Obsidian Security, is a prominent voice in cybersecurity, having co-founded and been CTO ... (more)

API Security: OWASP 2017 RC1 Gets It Right | @CloudExpo #API #SOA #Microservices

API Security has finally entered our security zeitgeist. OWASP Top 10 2017 - RC1 recognized API Security as a first class citizen by adding it as number 10, or A-10 on its list of web application vulnerabilities. We believe this is just the start. The attack surface area offered by API is orders or magnitude larger than any other attack surface area. Consider the fact the APIs expose cloud services, internal databases, application and even legacy mainframes over the internet. What could go wrong? API Security has been added to OWASP Top 10 2017 - RC1. This is a commendable step taken by the web application security thought leaders and is a clear indication of where the industry is heading. Security professionals have all the tools and awareness to fence in applications, databases and legacy systems through firewalls. OWASP has served the security professionals well... (more)

API Security - Four Quick Steps to Lockdown | @CloudExpo #API #IoT #DX

API Security is complex. Vendors like Forum Systems, IBM, CA and Axway have invested almost two decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is a building block for rapidly locking down APIs. The four fundamental pillars of API Security - SSL, Identity, Content Validation and deployment architecture - are discussed in detail below. Here are four fundamental steps that an enterprise can take to ensure that their APIs attack surface area is significantly reduced. To implement API Security: Enable SSL: One can rapidly protect API traffic by enabling SSL and changing http to https. This is a good first step in protecting the traffic from an API consumer to an API producer, however, the following items should be considered in tightening secure API communication: Check X... (more)

[session] Using Websocket Protocol | @CloudExpo @GrapeUpInc #DX #CloudNative #CloudFoundry

Horizontally Scaling Apps that Are Using Websocket Protocol With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate communication between multiple instances by using an additional message broker. Speaker Bio Roman Swoszowski is CTO and VP, Cloud Foundry Services, at Grape Up. He is responsible for developing the overall technology vision of the company with a focus on Cloud Foundry and related cloud technologies. With over 10 year... (more)

Developer Experience: The Key to a Successful API | @CloudExpo #API #Cloud #Analytics

Developer Experience: The Key to a Successful API By Caroline Ambros User experience is the key to adoption. If no one understands how to use your product, they won't buy it. This is equally true in the world of APIs. Developers are more likely to adopt and stick with a platform or service that they enjoy using. The key to the success of your API, then, is the Developer Experience. But what is Developer Experience? Much like for products that target traditional consumers, the usability of your API is key. Thus, the Developer Experience is the aggregate of all experiences a developer has while interacting with your platform. At the intersection of business, technology and UX, your platform's Developer Experience could make or break your organization's growth in today's incredibly competitive technological landscape. "Good" Developer Experience is all about understandi... (more)

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Cloud Expo® New York Early Bird Savings here! More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security. In his session at 14th Cloud Expo, Sachin Agarwal, VP of Product Marketing and Strategy at SOA Software, will walk you through the various aspects of how an API could be potentially exploited. He will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business's digital initiatives. In thi... (more)

API Security Lessons from Fisher-Price’s Smart Toy Bear Security Flaw By @RyanPinkham | @ThingsExpo #IoT

API Security Lessons from Fisher-Price's Smart Toy Bear Security Flaw By Ryan Pinkham Earlier this week it was reported that researchers at Boston-based security company, Rapid7, identified several security flaws in an app connected to a new toy from Mattel's Fisher-Price brand. The news of the security vulnerability caught our attention for a few reasons: The name of the toy - Smart Toy Bear - is strangely close to the name of our company SmartBear Software. More importantly, the story caught our attention because the security vulnerability brought up an important reminder about the important issue of security in today's connected world. Luckily, the vulnerability identified by Rapid7 has since been fixed. But the security flaw - which could have allowed a hacker to steal a child's name, birthdate and gender, along with other data - is just the latest example of how ... (more)

Andy Thurai on, “the API – You can’t Live Without It”

The unprecedented explosion of modern technologies combined with a burgeoning mobile space has forced enterprises to rethink previously held beliefs about the static enterprise perimeter. Remember the olden days when you said your enterprise was completely self-contained in one data center, with your apps inside the firewall and with everyone nearly as confident about it as being as secure as Ft. Knox?  With an explosion in mobile computing, demand for cheap or “free” usage of resources, and a sharp reduction in cost with the cloud delivery model,  it is expected (or rather demanded) that every enterprise expose their APIs not only from their enterprise but from a cloud based model. (NOTE:  The cloud is referred to in a  loosely defined delivery model be it —  public, private, community or hybrid variety). Couple this inexorable progression for having a cloud based m... (more)

Protecting API Access with BIG-IP using OAuth

As more organizations use APIs in their systems, they’ve become targets for the not-so-good-doers so API Security is something you need to take seriously. Most APIs today use the HTTP protocol so organizations should protect them as they would ordinary web properties. Starting in v13, BIG-IP APM is able to act as an OAuth Client, OAuth Resource Server and OAuth Authorization Server. In this example, we will show how to use BIG-IP APM to act as an OAuth Resource Server protecting the API. In our environment, we’ve published an API (api.f5se.com) and we’re trying to get a list of departments in the HR database. The API is not natively protected and we want APM to enable OAuth protection to this API. First, let’s try an unauthenticated request. You can see we get the 401 Unauthorized response which is coming from the BIG-IP. In this instance we’re only sending 3 header... (more)

CA Technologies Completes Layer 7 Acquisition

CA Technologies (NASDAQ: CA) today announced it has completed the acquisition of privately-held Layer 7 Technologies, a leading provider of Application Programming Interface (API) security and management. The acquisition of Layer 7 will enable CA Technologies to provide leading security and management technology to the API marketplace that complements its Identity and Access Management suite, including CA SiteMinder®, as well as solutions focused on DevOps including the CA LISA® suite. The combination of CA Technologies and Layer 7 solutions will help customers better secure and manage APIs and deliver confidently and quickly the cloud, mobile and composite applications that run today’s business services. “Just as the Web created business opportunities by redefining how companies interact with consumers and employees, APIs are driving new opportunities by accelerati... (more)