Welcome!

Related Topics: Microservices Expo, Java IoT, Linux Containers, @CloudExpo

Microservices Expo: Article

One Simple Step Can Make Your APIs More Secure

APIs have unique risk profile that must be managed

APIs - application programming interfaces -- are an old technology that has become today's hottest method for getting critical data to mobile apps. APIs are good for business. APIs drove $2 billion in business for Expedia by securely exposing valuable content to its affiliate network.

But there are hidden dangers to using APIs. APIs share many of the same threats that plague the web, but APIs have unique risk profile that must be managed. It is a mistake to think we can secure APIs the same way we secure the web.

But there are some really simple things that anyone implementing an API can do, right now, that will minimize the risk of APIs. Here's one I've pulled from a new eBooklet by Scott Morrison of CA Technologies called Five Simple Strategies for Securing Your APIs. The tip? Turn on SSL for your API and keep it on.

Most of us surf the web every day with no SSL (Secure Sockets Layer), and the only time we use it is when we're on Amazon.com and we're buying a book and need to put in our credit card number. We turn it on to buy the book, and then we turn it off because, in the early days of the web and even up until five years ago, SSL was very costly to run. Web sites were getting hammered by traffic, and using SSL slowed things down even more. There was a whole industry that sold SSL accelerator boards for web servers.

This created a culture of only turning SSL on when we really need it. Even though SSL provides strong security if it's applied correctly, we've gotten used to leaving ourselves open and vulnerable because it once hurt our performance to use it all the time.

People are now bringing that same mentality from the web over to APIs. They might have two APIs, one for buying books and the other for looking up shipping costs. Because the buy book API deals with important information, like credit cards, it gets wrapped in SSL. But the other API gets left in the clear. According to Morrison, this is a bad idea, and he thinks everyone should be using SSL all the time for all APIs, full stop.

Google, for example, has shown us that you can connect to their servers with or without SSL with no penalty in performance. The modern CPU is pretty good at doing the kind of floating point math required to do SSL efficiently. And, perhaps more importantly, the cloud has made CPU resources really cheap. It takes next to nothing to provision a few extra servers to handle any extra workload caused by SSL.

The security gains of turning SSL on for all transactions happening on your API far outweigh the minor performance loss. Not using SSL is an example, says Morrison, of the web mentality coming into the API world and being misapplied. APIs are much more vulnerable to attack than web sites. Not using SSL might once have made sense in the web world, but it certainly doesn't make sense in the API world in 2014. Morrison says we should be applying SSL to every API transaction, full stop.

This covers only one of the five simple tips Morrison shares in his eBooklet, Five Simple Strategies for Securing Your APIs. I think you might find the rest of his suggestions equally insightful and actionable.

More Stories By Jackie Kahle

Jackie is a 30-year veteran of the IT industry and has held senior management positions in marketing, business development, and strategic planning for major systems, software, and services companies including Hewlett-Packard, Compaq, and Gartner. She currently manages the strategy and execution of CA Technologies thought leadership programs. Jackie has an MBA from the Whittemore School, University of New Hampshire, a BA in Mathematics from New York University and is the Vice-Chair of the N.H. State Council on the Arts.

Latest Stories
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs ofte...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in compute, storage and networking technologies, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single threaded, you can effectively identify hot spots in your serverless code. In his session at 20th Cloud Expo, David Martin, Principal Product Owner at CA Technologies, will give a live demonstration and code walkthrough, showing how to ov...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
The 21st International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive ad...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.