Sound application development rests with secure APIs in the cloud

Overcoming API security risks

Containers, microservices and APIs -- oh my. Together, they form the holy trinity of cloud computing. One doesn't stand without the others, and all must be secure. If API security risks are present, the other two face exposure that can jeopardize businesses and threaten lives.

APIs are the glue that hold together an app's tapestry of microservices and containers. They provide the conduits through which microservices talk to each other. APIs provide access to data, whether company-owned or subscribed to. They're the pathway to reading billions of internet of things (IoT) sensors. How prevalent are APIs? As of July 2017, one searchable directory contains 17,733 public entries. That tally will surely grow.

The challenge facing proponents of cloud computing is that API security risks are rising in concert with the technology's soaring popularity. To deal with varying threats posed by unauthorized changes to data, data leakage and interference with legitimate activity, a multifaceted approach is needed. That approach encompasses sandboxing, network connection control and encryption.

API management also can help minimize IoT-related security risks such as the one faced by a major automobile manufacturer. The service and travel history of its all-electric vehicles can be easily hacked via an API call that requires only the vehicle identification number, which is easily viewed through any windshield. We need to do better than that. Other API security risks include simultaneous control of multiple versions -- especially when that API is used by outside customers -- and the challenge of determining whether a third-party API meets the standards of security, efficiency and performance.

This handbook probes potential API security risks and puts forth a number of best practices for maintaining a secure, managed environment.