As I noted earlier this year, API Security is crucial to the success of a digital transformation project, and an important element of the Full Lifecycle API Management Model.
As an API provider, building security into your project at the strategy, design, and create points alleviates problems down the road (and as noted in my previous post, can help keep your company name out of the news). But what else can you do to help protect your apps and data?
Let’s start with standards. In the digital world we live in today, mobile devices have become the new endpoint. OAuth and OpenID Connect are two important standards that absolutely should be utilized (along with SSL). OAuth is used to grant applications access to their information elsewhere, but without giving them passwords.
OpenID Connect is a simple identity layer that sits on top of OAuth and verifies the identity of the mobile user. A modern API gateway will provide both the OAuth Server and a bridge to link that server with an enterprise Identity and Access Management system (IAM) such as CA Single Sign-On.
Security for Gateways
When it comes to API gateways, you should absolutely utilize the security capabilities of your gateway to its fullest extent. Many API gateways today support protection against web-based threats and exploits, as well as policies to ensure that appropriate security measures are in place.
Many regulated industries and government agencies require a hardened API gateway that has FIPS 140-2 compliance (a cryptographic security standard) as well as Common Criteria certification (a 3rd party security evaluation that provides assurance that the tested product meets the set specifications). CA API Gateway has supported FIPS 140-2 for many years and recently received Common Criteria certification.
If your API management solution supports mobile SDKs that provide additional security features (such as CA Mobile API Gateway), you can leverage those to extend enterprise-grade security to the mobile device for end-to-end security. These SDKs often integrate with the endpoint to enable biometric (and multi-factor) authentication in order to access enterprise resources.
Creating Digital Trust
CA Technologies has further extended the capabilities of the mobile SDK through CA Rapid App Security. This solution enables continuous three-way trust – identifying not only the user, the app, and the device, but learning and tracking the relationship between these three. When a pattern deviates from the norm (such as using FaceID 99 percent of the time, then out of the blue using a password to gain access to a resource), additional authentication techniques can be implemented. As you can see, a mobile SDK truly enables a stronger, more holistic security model.
As you are designing your APIs and microservices and integrating them into your applications, it is a good idea to keep the OWASP Top 10 (2017 edition) most critical web application security risks in mind to ensure your applications minimize those risks.
Finally, once your application is complete, subject it to stringent security testing. Solutions like Veracode assess the security of your applications before they’re released. By seamlessly integrating application security into the software lifecycle, you have a strategic, repeatable way to ensure your application security risks.
By integrating security into your full lifecycle API management model, you’ve taken many of the steps your Chief Security Officer mandates. To learn more about advanced security techniques, I invite you to attend a replay of our Modernizing Application Architectures with Microservices and APIs Virtual Summit Series.
This four hour session explores the latest trends and priorities for banks who are using APIs to fuel their digital transformation, and also discusses FIDO and mobile security, risk analysis, and finishes with how to securely expose an enterprise’s APIs to the world, as well as demonstrate how to apply custom security checks on specific requests. I hope you enjoy the session!