The Impact of APIs in the SaaS industry
Enhanced Operational Efficiency with Data - Driven IT Strategy
The Standard Work of IT
CIOs Shouldn't See OpenStack and Public Clouds as an Either/ or...
Travel APIs: Easing the Turbulence from Origin to Destination
Matt Minetola, EVP & Global CIO, Travelport
Henry Ford's Environment
Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
Accomplishing Organizational Security through Shared Responsibility...
Darrell Bateman, SVP-Chief Information Security Officer at City Bank
Democratizing Data at the OT Edge
Claudio Fayad, Vice president of technology, Emerson
Thank you for Subscribing to CIO Applications Weekly Brief
Companies have immediately opened their data to their ecosystem through SOAP or REST APIs in response to the growing demand for data-centric projects.
Fremont, CA: Companies have immediately opened their data to their ecosystem through SOAP or REST APIs in response to the growing demand for data-centric projects. APIs are the gateways to a company's tightly guarded records, posing the following challenge.
Given are simple practices you can adopt to alleviate security threats and keep APIs secure.
- Encryption
Be cryptic. For internal or external correspondence, nothing has to be in the open.
TLS (the successor to SSL) can be helpful to encrypt all communications between the user and their partners, whether it's one-way encryption (standard one-way TLS) or, even better, shared encryption (two-way TLS). To prevent the use of the weakest cypher suites, use the most recent TLS models.
- OAuth & OpenID Connect
To handle authorizations, the API provider uses a third-party server. Instead of providing their credentials, the customer provides a token issued mainly by a third-party server. It protects the customer because they don't have to reveal their credentials, and the API provider doesn't have to worry about authorization data because it only receives tokens.
OAuth is a well-known delegation protocol for transferring authorizations. Users can add an identity layer on top of their APIs to protect them even further and add authentication: this is the Open Id Connect standard, which extends OAuth 2.0 with ID tokens.
- Monitoring: Audit, Log, and Version
Get a stalker out of yourself. In the event of a mistake, users must be prepared to troubleshoot: inspect and record relevant information on the server – and keep the history for as long as their production servers' capability allows. In the event of an incident, users can convert their logs into tools for debugging. Monitoring dashboards are also highly recommended tools for keeping track of the API use.
- Data Validation
Be picky about what users accept as a gift, mainly if it's a large one. Anything the server receives needs to be double-checked. Always review the information that customers give users and reject any additional content or data that is too big. To avoid SQL injection or an XML bomb, use JSON or XML schema validation and double-check that the parameters should be (string, integer...).
- API Firewalling
Construct a barrier. Some believe that erecting a wall would fix all of the country's immigration issues. That's the case, at least for APIs! The protection of the API is divided into two layers:
The first level is in the DMZ, with an API firewall enforcing simple protection protocols such as message size checks, SQL injections, and any security dependent on the HTTP layer, preventing intruders from gaining access.Forwarding the message should be the second layer.
The second layer is a local area network (LAN) with specialized data protection mechanisms.
- API Gateway (API Management)
Many of the processes mentioned above take a long time to establish and maintain. Rather than reinventing the wheel, users can invest in a successful and scalable API Management solution that includes all of these features to save money, time, and resources while also accelerating time to market. Users can use an API Gateway to protect, manage, and track their traffic.
I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info
Featured Vendors
-
Jason Vogel, Senior Director of Product Strategy & Development, Silver Wealth Technologies
James Brown, CEO, Smart Communications
Deepak Dube, Founder and CEO, Datanomers
Tory Hazard, CEO, Institutional Cash Distributors
Jean Jacques Borno, CFP®, Founder & CEO, 1787fp
-
Andrew Rudd, CEO, Advisor Software
Douglas Jones, Vice President Operations, NETSOL Technologies
Matt McCormick, CEO, AddOn Networks
Jeff Peters, President, and Co-Founder, Focalized Networks
Tom Jordan, VP, Financial Software Solutions, Digital Check Corp
Tracey Dunlap, Chief Experience Officer, Zenmonics