Security

API security

Safeguard your API platform

Secure your API with impenetrable security mechanisms. Master the use of OAuth, OpenID, and more to embed identity management across the entire platform.

Advice on API Security

Featured

What is a JWT?

Why Can’t I Just Send JWTs Without OAuth?

A JSON Web Ten or JWT is an extremely powerful standard. It’s a signed JSON object; a compact ten format often exchanged in HTTP headers to encrypt web communications. Because of its power, JWTs can be found driving some of the largest modern API implementations. For many, the JWT represents a great solution that balances…

Read More

Top Insights From the 2017 Platform Summit

This week Nordic APIs hosted the Platform Summit, our largest conference to date. 400+ attendees and 60+ speakers arrived to a sold out event, jam-packed with the industry’s leading experts on web APIs. Our attendees represented 26 different countries, making this our most most global event ever. With tremendous growth slated for the API economy, we encouraged our…

Read More

How to Safely Throttle High Traffic APIs

Too much traffic can be a dangerous thing. To many application developers, this seems like a good problem to have – traffic is exactly what you want for your service, so accordingly, the the better. The simple truth is, however, that too much of a good thing can be very dangerous – and in…

Read More

Designing API Usage Guidelines For Bot Clients

In the spring of 2017, published a series of guiines for automated API users utilizing bots. These guiines were created to help control the intent, actions, and result of bots on the service. Accordingly, there was some discussion about just what these guiines did and didn’t do, and how valuable such a set of…

Read More

Security Points to Consider Before Implementing GraphQL

GraphQL is a very powerful query language that does a great many things right. When implemented properly, GraphQL offers an extremely elegant methodology for data retrieval, backend stability, and increased query efficiency. The key here though is that simple phrase — when implemented properly. GraphQL has had somewhat of a gold rush adoption, with…

Read More

Why OAuth 2.0 Is Vital to IoT Security

The internet is fundamentally an unsafe place. For every service, every API, there are users who would nothing than to break through the various layers of security you’ve erected. This is no small concern, either — in the US alone, security breaches cost companies in excess of $445 Billion USD annually. As the…

Read More

Building With Open Standards Will Result in IT Longevity

In the initial years of the world wide web, much was innovated as it was needed — while the fundamentals were open and commonly agreed upon, the systems that used these fundamentals often were not. Innovation led to unique solutions, which led to the development of proprietary systems and approaches. However as time marched on, the…

Read More

Securing the IoT for Decades to Come

In 2007 Kevin Kelly gave a TED talk in which he forecasted how the World Wide Web would lo 5000 days into the future, prophesizing the emergence of the IoT and AI. He envisioned a connected planet where all manufactured goods tap into a single, global, intelligent network. At the time, the Internet of…

Read More

Review of Approov for Mobile API Security

Unfortunately, the reality of mobile apps is that at some point, someone is going to try to do something they’re not allowed to. Whether this is through brute-forcing keys, spoofing identities, or simply issuing distributed attacks across the application’s server dependencies, the threat to public-facing APIs in the mobile space is real, dangerous, and often…

Read More

How to Handle Batch Processing with OAuth 2.0

Recently on the Nordic APIs channel we’ve had a few people ask — how do you handle batch processes that are secured with OAuth 2.0? Batch requests are ones executed automatically or programmed to repeat recurringly. Usually we use OAuth to confirm user identity for API calls, but the problem is that OAuth 2.0 isn’t…

Read More

api security

API Security: The 4 Defenses of The API Stronghold

This article aims to bolster your API defenses by outlining the four foundations of API security: Authentication, Authorization, Federation, and egation. At one point or another, your secure resources will be attacked. This is the unfortunate reality of the modern era, where the skills necessary to invasively crack open a system, network, or API are commonplace than ever.

Tips and Tools for Debugging APIs

Tips and Tools for Debugging APIs

Benjamin Franklin once famously said “in this world nothing can be said to be certain, except death and taxes”. For the software developer, the saying should be amended to read “except death and taxes — and software bugs.” It’s an unfortunate fact that the very nature of software development, especially in the collaborative environments popular…

Read More

review of sapience API security auditing

Walkthrough of APIware’s Sapience API Security Validation Tool

These days, APIs need to be strong. They need to be versatile to change, and must triumph in the face of malicious schemes hackers use to disrupt core systems. But how does a provider consistently maintain security across their API platform, and consistently check to see that security is maintained throughout continuous code deployments? As…

Read More

API Keys ≠ Security: Why API Keys Are Not Enough

Despite the alluring simplicity and ease of utilizing API Keys, the shifting of security responsibility, lack of granular control, and misunderstanding of purpose and use amongst most developers makes solely relying on API Keys a poor decision. More than just protecting API keys, we need to program robust identity control and access management features to safeguard the entire API platform….

World War API: Understanding the Enemy

The virtual world stage is ever evolving, and unfortunately, the physical conflicts of yesterday are quickly becoming the digital conflicts of today. States, groups, and individuals are poised to wage digital warfare for a variety of political, economic, and social reasons. And, as with any conflict, civilian data — and civilian architecture — are prone…

Read More

API Security: Deep Dive into OAuth and OpenID Connect

OAuth 2 and OpenID Connect are fundamental to securing your APIs. To protect the data that your services expose, you must use them. They are complicated though, so we wanted to go into some depth about these standards to help you deploy them correctly. OAuth and OpenID Connect in Context Always be aware that OAuth…

Read More

How To Control User Identity Within Microservices

Everyone’s excited about microservices, but actual implementation is sparse. Perhaps the reason is that people are unclear on how these services talk to one another; especially tricky is properly maintaining identity and access management throughout a sea of independent services. Unlike a traditional monolithic structure that may have a single security portal, microservices pose many…

Read More

Maintaining API Security in a Continuous Delivery Environment

Continuous ivery is a hallmark of the modern development world. As tools have matured and the needs of the consumer have evolved, constant development and deployment have become the norm rather than the exception. With this increase in deployment, security has increased part and parcel. In this piece, we’re going to discuss how to maintain…

Read More

3 Unique Authorization Applications of OpenID Connect

If wiy adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Token Design for a Better API Architecture

Little details like tens can sometimes help structure complex API architectures. In this piece we’re going to have a lo at different architectures, and ultimately see how a better way to design tens can lead to a performant result. Consider the role of tens within two facets of API design, access control and data…

Read More

More posts on API Security

Sessions on API Security

Featured

OAuth and OpenID Connect Deep Dive
Travis Spencer - Twobo Technologies - September 2013

OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Twobo Technologies, will cram in as much about these two protocols as will fit into 25 minutes.

Integrating API Security Into A Comprehensive Identity Platform
Pam Dingle - Ping Identity. Nordic APIs World Tour 2015: May 11 - Copenhagen.

OAuth 2.0 and OAuth-based protocols are considered best practice in API Security – but what would those protocols look like as part of an overall Identity strategy? Pamela Dingle talks about the value proposition and best practices around integrating a standards-based API Security framework into an overall identity infrastructure initiative.

OpenID Connect and its role in Native SSO
Paul Madsen - Ping Identity - September 18-19 2013.

If widely adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Building a secure API
Travis Spencer - Twobo Technologies

Presented at Nordic APIs in Stockholm. Travis Spencer gives an overview of the techniques and technologies needed to launch a secure API.

More sessions on API Security

Ebooks on API Security

Securing The API Stronghold

Digital security is and a pressing concern. In the API and microservices world, the proper access management needs to be seriously addressed to ensure your digital assets are securely distributed. Nordic APIs has compiled our most vital advice into a single eBo. We out security stacks and workflows using modern technologies such as…

Read More