DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • A Better Web3 Experience: Account Abstraction From Flow (Part 1)
  • How To Build Web Service Using Spring Boot 2.x
  • Using Render and Go for the First Time
  • Self-Hosted Gateway Design Patterns Discussion

Trending

  • Anomaly Detection: Leveraging Rule Engines to Minimize False Alarms
  • Edge Data Platforms, Real-Time Services, and Modern Data Trends
  • A Continuous Testing Approach to Performance
  • Three Ways AI Is Reshaping DevSecOps
  1. DZone
  2. Data Engineering
  3. Databases
  4. Heartbleed Mitigation for Web APIs

Heartbleed Mitigation for Web APIs

Mark O'Neill user avatar by
Mark O'Neill
·
Apr. 18, 14 · Interview
Like (0)
Save
Tweet
Share
7.83K Views

Join the DZone community and get the full member experience.

Join For Free

Gary Oliffe at Gartner has an insightful blog post today about how the Web API angle for Heartbleed has been largely ignored. It reminds me of the DoS attacks on banks this time last year. Everybody seemed to focus on the banking websites which were brought down, but not on the Web APIs which also suffered (and rendered some banking apps unresponsive). People naturally focus on what they can see - websites - not on what they can't see - Web APIs.

Gary writes:

With all the media coverage of Heartbleed over the last few days it occurred to me that there has not been nearly enough coverage given to the impact of Heartbleed on web APIs, both from the perspective of a consumer and provider.
http://blogs.gartner.com/gary-olliffe/2014/04/16/heartbleed-hit-your-apis-too-manage-those-dependencies/
He goes on to talk about how an inventory of the APIs you use (internal and external) is vital, writing "You need to know the services are you using, the services are you providing, who is using them, what you and the other party need to do to protect yourselves and whether it has been done". 
I couldn't agree more. The first step to managing your APIs is to catalog them. I've written before about the importance of the API Catalog, both for consumers (in an API Developer Portal) and also for administrators to keep track of the APIs which they are managing. With Axway, the API Catalog itself is available as a Web API (using JSON), which can be customized.

Complimenting the API Catalog is the API Gateway. An API Gateway is especially important for responding to Heartbleed because it provides a control point where you can perform virtual patches. If clients are accessing APIs via the API Gateway, that is the point where you ensure that security rules are applied. An API Gateway provides a level of virtualization in front of the actual APIs themselves, providing a point to quickly respond to issues such as Heartbleed.

So, the combination of (a) an API Catalog, providing an inventory of APIs your organization uses, and (b) an API Gateway to enforce security rules and apply "virtual patches", is important to deal with security events such as Heartbleed.
Heartbleed Web Service API

Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • A Better Web3 Experience: Account Abstraction From Flow (Part 1)
  • How To Build Web Service Using Spring Boot 2.x
  • Using Render and Go for the First Time
  • Self-Hosted Gateway Design Patterns Discussion
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: