Have You Secured Your API?
Page 1 of 1
APIs are widely used in the modern web world to connect users and sites to disparate sources of data, content, and functionality. APIs also represent a window into infrastructure and as such can also be an attack vector ripe for exploitation, unless properly protected.
The topic of API security is one that is often an afterthought, if it's even considered at all. That's a situation that Scott Morrison, chief technology officer and chief architect at Layer 7 Technologies is hoping to change. Morrison delivered a presentation at the RSA security conference today titled, "Hacking's Gilded Age: How APIs Will Increase Risk and Foment IT Chaos," outlining the risks of APIs as well as providing some suggestions on how to deal with them.
"The great opportunity for hackers is that if they understand the practices of web developers moving into the API world, they will know where to probe," Morrison told InternetNews.com. "They will know where to look for the common mistakes."
Among the common mistakes that Morrison sees with APIs is the use of API keys as a means of personal identification.
"An API key is basically an opaque key that is given to a developer of an application," Morrison explained. "It's an identifier that is supposed to be able to track a particular application and its use of a given API."
The security risk occurs when developers confuse application identifiers and personal identifiers -- which are supposed to be used for people.
"The collision of those identifiers really shouldn't happen," Morrison said.
The risk of having a personal identifier present as part of the API key is that if the API is not secured properly, personally identifiable information could be hacked.