Gary Oliffe at Gartner has an insightful blog post today about how the Web API angle for Heartbleed has been largely ignored. It reminds me of the DoS attacks on banks this time last year. Everybody seemed to focus on the banking websites which were brought down, but not on the Web APIs which also suffered (and rendered some banking apps unresponsive). People naturally focus on what they can see - websites - not on what they can't see - Web APIs.
With all the media coverage of Heartbleed over the last few days it occurred to me that there has not been nearly enough coverage given to the impact of Heartbleed on web APIs, both from the perspective of a consumer and provider.He goes on to talk about how an inventory of the APIs you use (internal and external) is vital, writing " You need to know the services are you using, the services are you providing, who is using them, what you and the other party need to do to protect yourselves and whether it has been done".
I couldn't agree more. The first step to managing your APIs is to catalog them. I've written before about the importance of the API Catalog, both for consumers (in an API Developer Portal) and also for administrators to keep track of the APIs which they are managing. With Axway, the API Catalog itself is available as a Web API (using JSON), which can be customized.
Complimenting the API Catalog is the API Gateway. An API Gateway is especially important for responding to Heartbleed because it provides a control point where you can perform virtual patches. If clients are accessing APIs via the API Gateway, that is the point where you ensure that security rules are applied. An API Gateway provides a level of virtualization in front of the actual APIs themselves, providing a point to quickly respond to issues such as Heartbleed.
So, the combination of (a) an API Catalog, providing an inventory of APIs your organization uses, and (b) an API Gateway to enforce security rules and apply "virtual patches", is important to deal with security events such as Heartbleed.