This is a story from my latest API Evangelist API security industry guide. My partner ElasticBeam has underwritten my API security research, allowing me to publish a formal PDF of my guide, providing business and technical users with a walk-through of the moving parts, tools, and companies doing interesting things with API security. When I publish each guide, I publish each story here on the blog, helping build awareness around my research–this is a short one on API management.
API management has done an amazing job in helping companies, organizations, institutions, and government agencies make their digital resources more available online in a secure way. Allowing API providers to require developers to sign up, obtain keys, and tokens which need to accompany all API calls. This, along with encryption by default, has gone a long way towards making data, content, and algorithms more accessible, while also being secure. However, many API providers have stopped here, and think their resources are secure when, in reality, there is so much more work to be done.
Requiring all developers obtain keys to access resources, and encryption data in transit is an important part of API security, but it is just one tool in the API security toolbox. Out of API management, you also receive an enhanced set of logging, analysis, and reporting tools for how developers are putting API resources to work. When done well, this pushes the API security conversation forward, allowing API providers to balance access with security, and be proactive when it comes to limiting access, or even shutting off access when there is abuse. The problem is not all API providers are investing here, let alone going beyond what API management providers offer.
The awareness brought to the table my API management is valuable, but there are so many aspects of API operations at the web server, DNS, and other levels that are often left out of the API management conversation. I’ll be pushing API providers to look beyond just the API management layer, and expanding API security awareness to every other stop along the API life beyond just management.
You can download or purchase my API Evangelist API security industry guide over at my API security research, and if you want to point out any corrections, and share your thoughts on what is missing, feel free to submit a Github issue on the research project’s Github repository. I appreciate your support of my work, and depend on folks like you, and ElasticBeam to make this all work.