API security

Safeguard your API platform

Secure your API with impenetrable security mechanisms. Master the use of OAuth, OpenID, and more to embed identity management across the entire platform.

Advice on API Security


Security Points to Consider Before Implementing GraphQL

GraphQL is a very powerful query language that does a great many things right. When implemented properly, GraphQL offers an extremely elegant methodology for data retrieval, more backend stability, and increased query efficiency. The key here though is that simple phrase — when implemented properly. GraphQL has had somewhat of a gold rush adoption, with…

Read More

Why OAuth 2.0 Is Vital to IoT Security

The internet is fundamentally an unsafe place. For every service, every API, there are users who would love nothing more than to break through the various layers of security you’ve erected. This is no small concern, either — in the US alone, security breaches cost companies in excess of $445 Billion USD annually. As the…

Read More

Building With Open Standards Will Result in IT Longevity

In the initial years of the world wide web, much was innovated as it was needed — while the fundamentals were open and commonly agreed upon, the systems that used these fundamentals often were not. Innovation led to unique solutions, which led to the development of proprietary systems and approaches. However as time marched on, the…

Read More

Securing the IoT for Decades to Come

In 2007 Kevin Kelly gave a TED talk in which he forecasted how the World Wide Web would look 5000 days into the future, prophesizing the emergence of the IoT and AI. He envisioned a more connected planet where all manufactured goods tap into a single, global, intelligent network. At the time, the Internet of…

Read More

Review of Approov for Mobile API Security

Unfortunately, the reality of mobile apps is that at some point, someone is going to try to do something they’re not allowed to. Whether this is through brute-forcing keys, spoofing identities, or simply issuing distributed attacks across the application’s server dependencies, the threat to public-facing APIs in the mobile space is real, dangerous, and often…

Read More

How to Handle Batch Processing with OAuth 2.0

Recently on the Nordic APIs channel we’ve had a few people ask — how do you handle batch processes that are secured with OAuth 2.0? Batch requests are ones executed automatically or programmed to repeat recurringly. Usually we use OAuth to confirm user identity for API calls, but the problem is that OAuth 2.0 isn’t…

Read More

API Security: The 4 Defenses of The API Stronghold

This article aims to bolster your API defenses by outlining the four foundations of API security: Authentication, Authorization, Federation, and Delegation. At one point or another, your secure resources will be attacked. This is the unfortunate reality of the modern era, where the skills necessary to invasively crack open a system, network, or API are more commonplace than ever.

Tips and Tools for Debugging APIs

Tips and Tools for Debugging APIs

Benjamin Franklin once famously said “in this world nothing can be said to be certain, except death and taxes”. For the software developer, the saying should be amended to read “except death and taxes — and software bugs.” It’s an unfortunate fact that the very nature of software development, especially in the collaborative environments popular…

Read More

review of sapience API security auditing

Walkthrough of APIware’s Sapience API Security Validation Tool

These days, APIs need to be strong. They need to be versatile to change, and must triumph in the face of malicious schemes hackers use to disrupt core systems. But how does a provider consistently maintain security across their API platform, and consistently check to see that security is maintained throughout continuous code deployments? As…

Read More

API Keys ≠ Security: Why API Keys Are Not Enough

Despite the alluring simplicity and ease of utilizing API Keys, the shifting of security responsibility, lack of granular control, and misunderstanding of purpose and use amongst most developers makes solely relying on API Keys a poor decision. More than just protecting API keys, we need to program robust identity control and access management features to safeguard the entire API platform….

World War API: Understanding the Enemy

The virtual world stage is ever evolving, and unfortunately, the physical conflicts of yesterday are quickly becoming the digital conflicts of today. States, groups, and individuals are poised to wage digital warfare for a variety of political, economic, and social reasons. And, as with any conflict, civilian data — and civilian architecture — are prone…

Read More

API Security: Deep Dive into OAuth and OpenID Connect

OAuth 2 and OpenID Connect are fundamental to securing your APIs. To protect the data that your services expose, you must use them. They are complicated though, so we wanted to go into some depth about these standards to help you deploy them correctly. OAuth and OpenID Connect in Context Always be aware that OAuth…

Read More

How To Control User Identity Within Microservices

Everyone’s excited about microservices, but actual implementation is sparse. Perhaps the reason is that people are unclear on how these services talk to one another; especially tricky is properly maintaining identity and access management throughout a sea of independent services. Unlike a traditional monolithic structure that may have a single security portal, microservices pose many…

Read More

Maintaining API Security in a Continuous Delivery Environment

Continuous delivery is a hallmark of the modern development world. As tools have matured and the needs of the consumer have evolved, constant development and deployment have become the norm rather than the exception. With this increase in deployment, security has increased part and parcel. In this piece, we’re going to discuss how to maintain…

Read More

3 Unique Authorization Applications of OpenID Connect

If widely adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Token Design for a Better API Architecture

Little details like tokens can sometimes help structure complex API architectures. In this piece we’re going to have a look at different architectures, and ultimately see how a better way to design tokens can lead to a more performant result. Consider the role of tokens within two facets of API design, access control and data…

Read More

More posts on API Security

Sessions on API Security


OAuth and OpenID Connect Deep Dive
Travis Spencer - Twobo Technologies - September 2013

OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Twobo Technologies, will cram in as much about these two protocols as will fit into 25 minutes.

Integrating API Security Into A Comprehensive Identity Platform
Pam Dingle - Ping Identity. Nordic APIs World Tour 2015: May 11 - Copenhagen.

OAuth 2.0 and OAuth-based protocols are considered best practice in API Security – but what would those protocols look like as part of an overall Identity strategy? Pamela Dingle talks about the value proposition and best practices around integrating a standards-based API Security framework into an overall identity infrastructure initiative.

OpenID Connect and its role in Native SSO
Paul Madsen - Ping Identity - September 18-19 2013.

If widely adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Building a secure API
Travis Spencer - Twobo Technologies

Presented at Nordic APIs in Stockholm. Travis Spencer gives an overview of the techniques and technologies needed to launch a secure API.

More sessions on API Security

Ebooks on API Security

Securing The API Stronghold

Digital security is more and more a pressing concern. In the API and microservices world, the proper access management needs to be seriously addressed to ensure your digital assets are securely distributed. Nordic APIs has compiled our most vital advice into a single eBook. We outline security stacks and workflows using modern technologies such as…

Read More