Serg Nvns - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to respond to rising API security threats

An API expert discusses the prevalence of API attacks and the need for vetting third-party developers.

APIs are an essential technology that unfortunately presents some design and security problems for developers. At the beginning of the year, Steve Willmott, CEO of API management platform 3scale, made 10 predictions about what would happen with APIs in 2015. We talked with him about some of his predictions.

In part two of this two-part Q&A, we talked with Willmott about API security, including attacks, malware and advice for API designers.

One issue with making your APIs public is security. Do you see attacks, particularly on APIs, increasing? How do you see that playing out in terms of API security?

Steve Willmott: This is one prediction that is almost true already. There have been a number of things that have happened already this year. There was a company called Moonpig in the UK, which was a printing company that had an API, and they accidently exposed all of their user data via the API. That happened the first week of January. WhatsApp and SnapChat both recently made some significant changes to their APIs because of security threats. 

Steve Willmott

I think that there will be more. I do not think it will make APIs go away, but it makes the level of caution required rise. There have not been that many attacks on APIs to date, but of course they are very attractive targets, because once you get in, you can potentially get a lot of information out of it much more easily than you would if you broke into a website.

We will definitely see, unfortunately, more attacks. But hopefully we'll see improvements in security over time as well. It is high risk, high reward in some sense, having this out there, but the reality is for mobile and pretty much any application, you need APIs. Rather than taking them away, it is just a question of figuring out how to protect them adequately. The technology out there needs to be applied. 

The breaches that have happened this year so far are mostly down to just not paying attention on the part of whoever is running the API. That is unfortunately what happens all over the Web, and it is going to happen for APIs as well. People mainly not securing them in the way they should.

If you are giving your API to people to create applications with, does it also give them the opportunity to create malware?

Willmott: Potentially, it does. There are definitely things to think about. One use of an API is to allow third parties to write apps for your platform. Facebook allows that. You can be a Facebook developer and write apps that actually connect to the Facebook data stream, and so Facebook is giving you a certain amount of rights. If you are doing that with an API, the best practice -- which we recommend and support through our product -- is to only allow certified developers to do that. You would have people sign up and at least validate who they are. Have them run a test first so you can validate what they are doing, and only then give them permissions. If anything ever goes wrong, you can revoke the permissions of that app. 

Literally, you are, to some extent, lending your brand to some of these third-party developers, and some of them might be bad actors. You need to be able to switch them off if they do that, and also try to detect those folks upfront. Once something goes into the Android store or something, and it is an app that works with your platform, then a user in the field will assume that it is safe, so it is kind of important to have process around that.

What is your advice to API designers? Are there any tips you could give them, any 'dos or don'ts' about security?

Willmott: I think the No. 1 thing that we see that creates security attack factors is people try to write their own authentication layers. If you have the OAuth button app, that is probably the most common security protocol that you would use to secure an API that is for Web or mobile consumption. It is unfortunately pretty complicated. It is very easy to make a mistake somewhere and implement it wrongly.

In addition, there are open source libraries out there. We also provide a service, but there are plenty of them out there. Reusing an open source library or something like that, rather than rolling your own is the best way not to have a hole there, and that is probably the most common thing. Whichever protocol you are using, go look for open source libraries to start with, rather than rolling your own clients and servers from scratch. Just one error somewhere may expose the whole thing.

Editor's Note: This Q&A was edited for grammar and style.

Next Steps

Ensure your cloud API is secure

How to use the Enterprise Security API

This was last published in February 2015

Dig Deeper on Securing services

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

8 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What are your API security concerns?
Cancel
Application Programming Interface (API) systems help build infrastructures to cross platform capabilities, but with these enhanced platforms come increased risk of security breaches, susceptibility to malware and the misuse from employees. In order to make the most of API there needs to be multi-tiered security protocols put into place, ensuring the safe operation of the system and the stored data. These multi-tiered authentication processes are critical for the API to be safe and effective.
Cancel
My biggest concerns for APIs, are testing them, and securing them.  There seem to be a lot of different ways to handle securing APIs, but not much about how to test for security, how to build with the idea of preventing an attack.
Cancel
API's are great for sending and receiving data, but in that transactional approach, are the possibilities that data that is provide for one use can be piped to another tool for a less savory purpose. I'd also be concerned about misuse inside of organizations, more so that external threats.
Cancel
As the number of APIs used by developers and MASH-uP artists as I call them grow, its only a matter of time until someone attempts to attack a server via the API it provides.  Developers need to be forward thinking and mindful of security always.
Cancel
When giving out an API to other people for them to create applications, choose only the certified developers who can validate themselves for easy monitoring.
Cancel
Thanks for commenting, Veretax and Merry. You both bring up interesting points!
Cancel
Thanks, for share, the importance of security is crucial for APIs, I think not only the part of the security for Authentication behaviors, things like "Buffer-Overflow" in the server memory is possible, even it's important to pay attention to the design to avoid problems like the N+1 querying the Database. I remember once in Ruby I had created an API and i used some personal "manually" functions to validate the controllers params ( params_excepted.include?(:param) ) the problem here is that the include? function, takes the :param and add it to the memory like unique identifier (this makes that memory usage grow-up fast) so, you need to pay attention to this kind of things all the time.

Regards.
Cancel

-ADS BY GOOGLE

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close