Friday, October 10, 2014

Who's responsible when API Security incidents occur?

Of all the reaction to the latest Snapchat API security issue, the most striking is this exchange on Twitter between Snapchat itself and Sean Kerner. As Brian Honan has noted, this API security incident is not a "breach" according to the letter of the law. But stepping aside from this story for a moment, it is good to ask the question in general: "Who is responsible when an API Security incident occurs?"

Of course, as an API Gateway vendor, I'm bound to say this, but this issue could be avoided by having a dedicated API Security layer in place. In fact, in our "API Security Top 10" recently, Gunnar Peterson and I even mentioned Snapchat. Applying API Key management, throttling (per app, per IP address, per user) and alerting would have helped here. When a previous Snapchat API-related incident happened, I wrote a blog post about how API monitoring and rate-limiting at an API Gateway would have helped. It's hard not to write "I told you so" here, but API security incidents like this will only draw more and more attention to the requirement for an effective API Security layer.

Friday, September 26, 2014

CVE-2014-6271 / CVE-2014-7169 ("Shellshock")

Although it doesn't have a fancy logo or a website, CVE-2014-6271 / CVE-2014-7169 (AKA "Shellshock") has been making a lot of news lately. Axway (Vordel) customers can find out everything they need to know at this Knowledgebase article (requires support login).

Wednesday, September 17, 2014

Mobile backend with a Scottish twist - this Thursday in San Francisco

At our Axway API Workshops, we use an example of a mobile app using the API Gateway as a mobile backend. It happens that Thursday's API Workshop in San Francisco coincides with the Scottish independence vote, so the app we're using will have a Scottish theme...

In an instance of the Axway API Portal, I've configured a Scottish Voting API which simulates a voting API. The options, as in the real vote, are "Yes" and "No". 

As you can see in the screenshot below, I've configured API Key authentication for my Scottish Voting API. The API Portal has a handy "Try It" feature so that I can make test calls to the API, right from the API Portal (it's the "Try It" button on the right).

I've also registered an app at the API Portal, which will consume my Scottish Independence Vote API. Because the API is protected using API Keys, you can see that the API Portal issues an API Key to my app. In the API Workshop, we show how the mobile app makes use of this API Key to call the API, and how the Axway API Gateway enforces the API Key authentication. In the screenshot below, I've scribbled out the API Key in red:

There is also a quota applied to my app - it can send 100 messages every 1 second. When we look at the API traffic at the API Gateway later, we'll see that the remaining quota count is returned as a header to the app which calls the API.

Now let's look at the main app configuration. You can see its icon, plus the fact that it will access the Scottish Independence Vote API. 

Here's the app itself in action, on Android. You can see that I'm using the text from the vote itself ("Should Scotland be an independent country?").  The app calls the API which I've registered at the API Portal. It uses API Keys to authenticate.

The API Gateway shows the votes rolling in - as you can see below. It also shows any requests which are blocked for security or other reasons:

We can also see the API calling info over time, and zoom in on particular times to see more info:

And remember that quota I mentioned above? Here you can see the remaining quota information returned in a header, which is helpful information for the calling application:

That's how easy it is to use the API Gateway and API Portal as a mobile backend. Whatever the outcome of the Scottish vote on Thursday, I'm looking forward to walking through the Axway API Portal and API Gateway at the API Workshop in San Francisco this Thursday. Sign-up is free, hope to see you there.

Wednesday, September 10, 2014

The power of Real-Time APIs - Apple Watch and BMW

One of the most exciting parts of this week's Apple Watch launch was the example of the BMW watch app. This app allows you to see the charging status of your BMWi electric car, right from your wrist. You can also check the status of the doors of your car (important information such as if they are locked or not!). Although the star of the show was the watch app, APIs had a cameo appearance, since the information shown on the watch is fetched in real-time from APIs.

It happens that there is already an example of a watch app for BMIs cars, pulling data in real-time from APIs. If you want to find more about the underlying APIs, check out the Axway/IC-Consult webinar about how APIs power the connected car. As you can see below, not only are watch apps involved (in this case the Samsung Gear example), but also mobile apps.

The key is that the data is fetched in real-time via APIs to the watch. By the nature of a watch interface, a user does not want to be pressing buttons to get information, or to refresh data. This brings us to another announcement this week. Here at Axway, we released version 7.3 of our API Management solution. One of the key innovations is around real-time API delivery. We do this by embedding a messaging provider which, combined with HTML5 WebSockets, enables lightweight real-time API access to backend systems. This is ideal for the latest use cases including real-time financial information, real-time betting and gaming information, and, in the case of the Apple Watch and BMW, real-time Connected Car information.

The smart watch era promises to also be the real-time API era. Here at Axway we're very excited about this. 

Thursday, September 4, 2014

Top 10 Security Concerns for REST APIs - Webinar with Gunnar Peterson on September 18

Update: This webinar has taken place: but you can still catch the recording of the "Top Ten API Security Concerns" 

REST API Security has come a long way from being a case of "Just use SSL"... or has it? On September 18th at 11am US Eastern Time / 4pm UK, we're running a webinar with Gunnar Peterson on the Top 10 Security Issues for REST APIs.

One of the big criticisms of SOAP Web Services was the complexity of the security standards such as WS-Security, WS-Trust, WS-Policy, WS-PolicyAttachment... the list goes on. People wrote whole books about them ;-) . In the case of REST, it can worryingly seem like a case of the Wild West (the "Wild REST"). Now, there are standards such as OAuth, but also there are many conventions such as API Keys which are sometimes implemented insecurely. Even in the case of OAuth 2.0, the implementation itself must be secured. Look out for this, and more, in Gunnar's definitive Top 10. 

And because the topic of REST API Security is so hot, we're running the webinar twice :-) . If you're in the Asia-Pacific region, you can attend Gunnar's REST API Security webinar on Tuesday 23 Sept at 10am Hong Kong / 12 noon Sydney/Melbourne time. 

Thursday, August 28, 2014

The Value of API Monitoring and Analytics

API Monitoring and Analytics are a very important part of API Management, because they answer question "Who is using my APIs", as well as providing the basis for monetization of APIs.

In the Axway API Management solution, we provide web-based monitoring of APIs both in real-time and as reports. In the screenshot below, we see API Analytic in action, with information about API usage, and the ability to generate a PDF report:

An example of a generated PDF report is shown below. Everything is customizable.

You can also search for specific transactions in Analytics using drop-down forms as shown below:

You then see all of the information about the API call, including the steps as it passes through the API Gateway:

You can also see the time for each step, as shown below. This is very important for diagnosing why an API call might be taking a long time. Using Axway API Management, you can see all the dependencies exactly, and do a full root-cause analysis. If someone says "My mobile app is running slowly", you can see exactly why that is (e.g. a back-end server is running slow). Notice the times for each step in the Gateway shown below:

In the Traffic Monitor, you can also see the times for requests and responses:

In addition, it is common to single out certain information from API traffic and use this within analytics. For example, your API calls may contain a field called "Waybill number". You can isolate the value of this field using JSON Path (in the case of JSON) or XPath (in the case of XML). Then, you log it as a "custom attribute" in Policy Studio as show:

Now that you've singled out this "Waybill number" as a specific attribute, you can then search for it explicitly.

You can also set what exactly is logged, if you want to log for tools such as Splunk to crunch the data.

Wednesday, August 13, 2014

Are REST APIs Inherently Insecure? - Speaking at ISC2 in Atlanta in October

REST security is a hot topic. One of the reasons for this is the continued blowback from the over-complexity of the WS-* specifications. These specifications,  including WS-Security, WS-Trust, and WS-ReliableMessaging, and were notorious for being difficult to comprehend. In fact, people wrote whole books about Web Services Security :-) . One of the benefits of REST is simplicity. But, on the flipside, the lack of standards for security has led to the proliferation of ad-hoc security approaches such as the use of API Keys. API Keys are frequently used for API "authentication" often without much regard for potential attacks such as replay attacks.

But, by using an API Gateway approach, is it possible to layer on security for REST APIs? Could they (shock, horror) co-exist with heavyweight WS-* style SOAP web services? I'll be talking about this topic in my talk on "Are REST APIs Inherently Insecure" at the ISC2 Security Congress in October in Atlanta. Hope to see you there?

Tuesday, July 22, 2014

ViewDS and Axway - PEP/PDP interop using XACML for externalized authorization

Andrew Sciberras, the man with the most impressive mustache in Identity (until he shaved it off!), has written a very useful post on how Axway and ViewDS interop together using XACML to enable external authorization for SOA and APIs.

The interop announcement, which coincides with the Cloud Identity Summit in Monterrey, speaks about how customers can now leverage ViewDS and Axway together in order to create complex authorization rules. An example of such a rule would be "Only the patient or their doctor can access a medical record, or the patient's parents or guardians if the patient is under 18 years of age". These types of policies are particularly suited to XACML.

The overall architecture is shown below:

Sunday, July 20, 2014

Video: Mobile App calling APIs, using the Axway API Portal and API Gateway

This week I am in Sydney, Australia, for Gartner AADI this Monday and Tuesday, then the Axway API Workshop here on Wednesday (still time to register if you're in Sydney!). The API Workshop ends with a wine reception, pitting French wines against Australian wines. In keeping with the theme, my colleague Charles Poulson and I have worked on sample APIs and apps, to see how an API Portal and API Gateway are used as the API backend for mobile apps.

In the video below, you can see a "Wine Chooser" sample Android app which consumes an API that's registered in an API Portal, and see the mobile API usage reporting being gathered and reported. We also see API Keys issued at the API Portal. Come along to the API Workshop on Wednesday to get your hands on the real thing! (the app and the wine :-) ).


Configuring OAuth for initial LDAP Authentication

Although OAuth is not for authentication (the "auth" is for authorization), it usually presupposes that an authentication event has taken place. In the case of the Axway API Gateway, you can use the internal use store for this authentication, or you can use a third-party repository like LDAP. If you want to switch to LDAP, you can simply choose a different authentication repository under "Validate credentials against this repository" in the OAuth 2.0 policies in Policy Studio as shown below:

If you want to add a new authentication repository, you can find these under "Authentication Repositories" in Policy Studio, as shown below:

Note that other options include CA SiteMinder, Oracle Access Manager, IBM Tivoli Access Manager, and others.

Friday, July 18, 2014

APIdentity at Cloud Identity Summit next week

My colleague Ross Garrett is speaking next week at the Cloud Identity Summit on the "APIdentity" track. "APIdentity" is a neat mashup of "API" and "Identity" - I like it. Catch Ross's talk at 2.10pm on Monday 21 July:
API Security for the Cloud: Tales from the Trenches
Cloud technologies and mobile devices are transforming interactions with organizations via APIs. APIs present an endless opportunity for businesses to generate revenue, engage customers and collaborate with partners; Gartner even predicts 50% of B2B collaboration will occur via Web APIs by 2016.
This API Economy creates new IT complexity and presents risks for businesses when not implemented and managed securely. This presentation will discuss examples of organizations securing APIs, examining the API security state of play for the cloud. Questions that will be answered include:
  • How are organizations implementing OAuth?
  • How are they Managing Keys?
  • What are real-world examples of API security?

Telstra Hybrid Integration Case Study next week at Gartner AADI Sydney

Next week I'm excited to be attending Gartner AADI Sydney, where the Axway sponsor session features Telstra's Richard King speaking about Hybrid Integration, at 3.15pm on Monday July 21. Hybrid Integration, and the Hybrid Integration Platform (HIP), are very exciting topics in integration at the moment. Connections between on-premises and Cloud services are enabled in this way, all through APIs.

Here is the preview of the talk:
Innovations in Cloud, Mobile, Social Media and Big Data are revolutionising how Telstra International goes to market to engage with their customers, employees and suppliers. Richard shares experiences of how the business addressed the challenges of legacy integration, governance and politics to implement a framework to mobile-enable enterprise applications and govern services across public, private and hybrid cloud environments. 
I'm looking forward to the session, and to catching up with so many partners, customers, and friends in Australia. Maybe not looking forward to the long flight so much though... :-)