|By Jackie Kahle||
|April 5, 2014 11:45 AM EDT||
APIs - application programming interfaces -- are an old technology that has become today's hottest method for getting critical data to mobile apps. APIs are good for business. APIs drove $2 billion in business for Expedia by securely exposing valuable content to its affiliate network.
But there are hidden dangers to using APIs. APIs share many of the same threats that plague the web, but APIs have unique risk profile that must be managed. It is a mistake to think we can secure APIs the same way we secure the web.
But there are some really simple things that anyone implementing an API can do, right now, that will minimize the risk of APIs. Here's one I've pulled from a new eBooklet by Scott Morrison of CA Technologies called Five Simple Strategies for Securing Your APIs. The tip? Turn on SSL for your API and keep it on.
Most of us surf the web every day with no SSL (Secure Sockets Layer), and the only time we use it is when we're on Amazon.com and we're buying a book and need to put in our credit card number. We turn it on to buy the book, and then we turn it off because, in the early days of the web and even up until five years ago, SSL was very costly to run. Web sites were getting hammered by traffic, and using SSL slowed things down even more. There was a whole industry that sold SSL accelerator boards for web servers.
This created a culture of only turning SSL on when we really need it. Even though SSL provides strong security if it's applied correctly, we've gotten used to leaving ourselves open and vulnerable because it once hurt our performance to use it all the time.
People are now bringing that same mentality from the web over to APIs. They might have two APIs, one for buying books and the other for looking up shipping costs. Because the buy book API deals with important information, like credit cards, it gets wrapped in SSL. But the other API gets left in the clear. According to Morrison, this is a bad idea, and he thinks everyone should be using SSL all the time for all APIs, full stop.
Google, for example, has shown us that you can connect to their servers with or without SSL with no penalty in performance. The modern CPU is pretty good at doing the kind of floating point math required to do SSL efficiently. And, perhaps more importantly, the cloud has made CPU resources really cheap. It takes next to nothing to provision a few extra servers to handle any extra workload caused by SSL.
The security gains of turning SSL on for all transactions happening on your API far outweigh the minor performance loss. Not using SSL is an example, says Morrison, of the web mentality coming into the API world and being misapplied. APIs are much more vulnerable to attack than web sites. Not using SSL might once have made sense in the web world, but it certainly doesn't make sense in the API world in 2014. Morrison says we should be applying SSL to every API transaction, full stop.
This covers only one of the five simple tips Morrison shares in his eBooklet, Five Simple Strategies for Securing Your APIs. I think you might find the rest of his suggestions equally insightful and actionable.
Jul. 7, 2015 10:30 PM EDT Reads: 2,478
Jul. 7, 2015 10:15 PM EDT Reads: 1,162
Jul. 7, 2015 09:30 PM EDT Reads: 1,152
Jul. 7, 2015 08:00 PM EDT Reads: 920
Jul. 7, 2015 07:00 PM EDT Reads: 2,626
Jul. 7, 2015 07:00 PM EDT Reads: 2,662
Jul. 7, 2015 05:45 PM EDT Reads: 2,509
Jul. 7, 2015 05:00 PM EDT Reads: 2,316
Jul. 7, 2015 05:00 PM EDT Reads: 2,501
Jul. 7, 2015 05:00 PM EDT Reads: 2,283
Jul. 7, 2015 04:45 PM EDT Reads: 1,746
Jul. 7, 2015 04:15 PM EDT Reads: 828
Jul. 7, 2015 04:00 PM EDT Reads: 1,983
Jul. 7, 2015 03:45 PM EDT Reads: 1,456
One of the hottest areas in cloud right now is DRaaS and related offerings. In his session at 16th Cloud Expo, Dale Levesque, Disaster Recovery Product Manager with Windstream's Cloud and Data Center Marketing team, will discuss the benefits of the cloud model, which far outweigh the traditional approach, and how enterprises need to ensure that their needs are properly being met.
Jul. 7, 2015 03:45 PM EDT Reads: 2,425