Security Guide for APIs
To say that securing the data that is communicated and transacted among applications is one of the biggest concerns for software vendors and online services is accurate, but a huge understatement. Since data is essentially the currency with which companies attract users and conduct business, there is no room for it to be compromised. A single breach of trust between company and customer (or partner, supplier or any other participant in the ecosystem) will result in a dramatic reduction in credibility. Considering how quickly and easily people can change the providers they work with, this could have draconian repercussions on any organization.
Consider recent security breaches that have made headlines, put businesses in jeopardy, and created global security risks: the NSA spying case, WikiLeaks, Snapchat's breach; these are just a few of the major issues that have happened recently. They have put a renewed focus on how important it is to ensure the privacy of data, while still keeping it flexible enough to do its job.
APIs are the engine of all these transactions of data, commerce and communication, so naturally we obsess about how to keep APIs and the data they work with, secure and authenticated. Our conversations with customers and partners all usually come back to API security at some point. We want you, as stakeholders, to understand what it means to create and work in a secure application environment, so we've created this resource guide to give you a primer on API Security:
General API Security
- API Security: Creating a Solid Foundation: Web APIs heighten security exposure for enterprise information assets across the big three of information security: Confidentiality, integrity and reliability.
- OAuth Community: OAuth developer community.
- OAuth Server: Share Data Securely for Mobile, APIs and Web Apps: Learn about our comprehensive security token server that integrates with enterprise identity and access management systems providing the latest Web and API security standards including OpenId and OAuth.
- API Security: Does My Business Need OAuth?: OAuth provides a comprehensive security mechanism to secure your application data and allow for collaborative development and usage.
- Security-First API Maturity: How to provide perimeter security with a Policy Enforcement Point, Policy Administration Point, and Policy Decision Point.
- JWT for API Security: Learn what JSON Web Tokens (JWT) are and how the various ways they are applied for API security.
API Security and Management with API Gateway
- API Gateway: For API security, integration, mediation and deployment.
- Anatomy of an API Gateway: An overview of how to use a gateway to manage your APIs.
- API Gateway - Simplified Security and Management: The API gateway streamlines security, development, operation and management of APIs.
Securing Mobile Apps
- Unified Security for APIs, Apps, and Mobile: Issues and opportunities with private APIs that enable enterprise applications to communicate and transact with one another.
- Mobile Application Gateway: Our solution for externalizing applications, services and data for mobile consumption.
- Open Banking and PSD2 Solutions: Discover how the Akana platform provides security and compliance solutions for financial institutions.
- SCA for Open Banking APIs: Find out how to secure payments with SCA (Strong Customer Authentication).
- API Security Overview: API security and management go hand-in-hand, and this overview explains how enterprises can shape their business models to address the new digital economy by preparing their APIs for consumption in mobile applications, cloud applications and Internet of Things (IoT). We provide a guide for how APIs can connect enterprises with mobile apps and a large community of developers, and we emphasize that APIs also need to be scalable, reliable, and most importantly secure.
- API Gateway – Security Elements: Enterprises want to quickly and cost-effectively develop, secure, manage and monitor their APIs in an increasingly connected world by securely and rapidly connecting applications across platforms, devices and channels. This piece explains how that gets done.
- API Security: Securing Digital Channels and Mobile Apps Against Hacks: In this webinar, we will walk you through the various aspects of how an API could be potentially exploited. We will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business’s digital initiatives.
The State of API Security
- API Security: A Guide to Securing Your Digital Channels: The purpose of this paper is to help you understand the necessary components of a well-constructed API security strategy. First it takes you through API risk assessment discussing the various attack vectors that could potentially make your API vulnerable. Then the paper talks about risk mitigation strategies that API providers can put in place to prevent API hacks.
- Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3: Recently revealed vulnerabilities in SSLv3, OpenSSL and other cipher suites may expose your transactions or APIs over web browsers, web servers or HTTPS to new threats. This webinar can help you learn HTTPS configuration best practices and tools to harden your HTTPS endpoints with right protocols and cipher suites.
- Key Findings from The Global State of API Security Survey 2015: Akana works with many clients worldwide who are concerned about API security issues. To help them and the broader industry gain a better understanding of the state of API security, we conducted a survey of 1,200 IT professionals on the subject in May, 2015. The respondents came from a range of industries and organization sizes. The survey reveals, perhaps not surprisingly, that API security is an identified risk for many IT departments and business managers.
- Understanding OAuth: OAuth arose out of the process of improving the OpenID standard at the Internet Engineering Task Force (IETF) to solve the problem of secure access to multiple systems on behalf of a single client. This paper illustrates how OAuth works using simple use cases. It delves into the history of OAuth and contrasts it to OpenID, a comparable but different method commonly used for authentication. Then, this paper takes a look at a more complex enterprise use case and discusses how an API management solution can help facilitate the effective use of OAuth in the context of corporate computing.
Thoughts from Security Influencers
- Mitigating the Top Five Common API Weaknesses: A look at the most common issues concerning API security, and explains how they can be addressed. From identity theft, to malicious code, and even issues with authentication/authorization, we walk you through real-life issues and how to handle them to keep your business safe.
- Top 10 Security Terms for API Developers:My previous blog describes the main terms you need to know.
- The Science of APIs in a Mobile World – Security, Control, and Quality: API providers need to monitor their APIs to make sure they are meeting their service level agreements, and protect against attacks. However, to get a full end-to-end understanding of the API consumer experience, an external monitor is needed to simulate how consumers are using and experiencing your APIs. This webinar examines the issues inherent in managing and monitoring APIs from both the provider and consumer sides, including getting on top of security, quality, and control.
Do You Have a Security-First API Strategy?
Is your API platform secure enough? Take Akana for a test spin with our free 30-day trial to see how easy it is to apply the latest security and regulatory standards to ensure your APIs are protected.