Security

API security

Safeguard your API platform

Secure your API with impenetrable security mechanisms. Master the use of OAuth, OpenID, and more to embed identity management across the entire platform.

BLOG POSTS on API Security

Featured

8+ Biometrics APIs At Your Fingertips

Loing for a web API to handle finger identification? Let us identify the best ones for you… Until recent years, fingers were something that most of us didn’t think about that often. Now, however, they’re something that most smartphone owners use to unlock their devices, complete on banking transactions, and so on. Despite this, with…

Read More

5 Ways To Hack An API (And How To Defend)

API hacking is, unfortunately, part of the modern API landscape. Whenever you have resources exposed to the greater internet, those resources are going to be attacked in some way. Thankfully, half of the fight is just being aware of the threats against your API. Knowing that a threat exists and preparing your solutions ahead of…

Read More

Build GDPR Compliant APIs with OpenID Connect

GDPR, the European Union’s General Data Protection Regulation, came into effect in March of 2018. This new regulation sets the privacy and security expectations for handling user data, and applies to every actor evenly tangentially related to the European market. As an API practitioner, it’s absolutely essential that you understand how to build products that…

Read More

8 Vital OAuth Flows and Powers

Daniel Lindau of Curity provides an overview of important OAuth flows and abilities The API space requires authorization in order to secure data – this is a given in the modern era. Accordingly, implementing the correct authorization system is vitally important, perhaps even important than the API it is meant to handle authorization for….

Read More

API Security: A Gateway To Heaven

Because they power applications used by hundreds, thousands, and even millions of people, security is hugely important when creating APIs. Despite this, perhaps due to their now outdated reputation as niche products “just for techies,” there can be a bit of an air of complacency around API security. In the past, we’ve written broadly about…

Read More

Benefits Of The DevSecOps Approach

If there’s one takeaway from the recent data security issues, it’s this — security is a paramount concern for any organization, large or small. That’s why it’s so confusing, then, to see so many organizations taking a lax approach towards security. It’s often seen as a secondary consideration, a last step, and because of this,…

Read More

9 Questions for Top-Level API Security Auditing

One of the most important things any API developer can realize is the fact that, as a data handler, they have some of the most important legal and moral requirements towards their data subjects of any technically oriented organization. The fact that consumers entrust developers with their data at all is predicated upon the idea…

Read More

Why API Security is More Important Than Ever

API Security: In Pursuit Of MASH Between the Cambridge Analytica incident at and the General Data Protection Regulation (GDPR) kicking in across Europe from the 25th of May, it’s safe to say that on security is set to take center stage like never before. A repercussion of all this for API developers is a…

Read More

Using OAuth Device Flow For UI-Incapable Devices

As the internet grows and devices become interconnected, authorization is becoming and complex. Early implementations of on services were easy to authorize against since they were tied to desktops, but modern authorization must consider varying environments, from mobile apps to IoT scenarios. Many of our new devices, such as smart TVs and…

Read More

High-Grade API Security For Banks

Financial institutions occupy a special zone for APIs largely because of how stringent the regulatory compliance rulesets are. The data that financial institutions leverage are protected wiy by a variety of regulatory ordinances, and as such, this data has to be stringently controlled, secured, and managed – hence why high-grade API security is such a…

Read More

3 Common Methods of API Authentication Explained

APIs handle enormous amounts of data of a wiy varying type – accordingly, one of the chief concerns of any data provider is how specifically to secure this data. The idea that data should be secret, that it should be unchanged, and that it should be available for manipulation is key to any conversation on…

Read More

Securing IoT Medical Devices

Securing Medical IoT Devices

The IoT (Internet of Things) is becoming part of our everyday life. We’re developing audio equipment that can use voice commands to process complex operations, light switches that schedule operations based on observed functionality over time, and even devices that we can use to automatically order supplies based on our consumption habits. While the IoT…

Read More

What is a JWT?

Why Can’t I Just Send JWTs Without OAuth?

A JSON Web Ten or JWT is an extremely powerful standard. It’s a signed JSON object; a compact ten format often exchanged in HTTP headers to encrypt web communications. Because of its power, JWTs can be found driving some of the largest modern API implementations. For many, the JWT represents a great solution that balances…

Read More

Top Insights From the 2017 Platform Summit

This week Nordic APIs hosted the Platform Summit, our largest conference to date. 400+ attendees and 60+ speakers arrived to a sold out event, jam-packed with the industry’s leading experts on web APIs. Our attendees represented 26 different countries, making this our most most global event ever. With tremendous growth slated for the API economy, we encouraged our…

Read More

How to Safely Throttle High Traffic APIs

Too much traffic can be a dangerous thing. To many application developers, this seems like a good problem to have – traffic is exactly what you want for your service, so accordingly, the the better. The simple truth is, however, that too much of a good thing can be very dangerous – and in…

Read More

Designing API Usage Guidelines For Bot Clients

In the spring of 2017, published a series of guiines for automated API users utilizing bots. These guiines were created to help control the intent, actions, and result of bots on the service. Accordingly, there was some discussion about just what these guiines did and didn’t do, and how valuable such a set of…

Read More

Security Points to Consider Before Implementing GraphQL

GraphQL is a very powerful query language that does a great many things right. When implemented properly, GraphQL offers an extremely elegant methodology for data retrieval, backend stability, and increased query efficiency. The key here though is that simple phrase — when implemented properly. GraphQL has had somewhat of a gold rush adoption, with…

Read More

oauth 2.0

OAuth 2.0 – Why It’s Vital to IoT Security

In this article we’ll explain why OAuth 2.0 is vital to IoT security. The internet is fundamentally an unsafe place. For every service, every API, there are users who would nothing than to break through the various layers of security you’ve erected. This is no small concern, either — in the US alone,…

Read More

Building With Open Standards Will Result in IT Longevity

In the initial years of the world wide web, much was innovated as it was needed — while the fundamentals were open and commonly agreed upon, the systems that used these fundamentals often were not. Innovation led to unique solutions, which led to the development of proprietary systems and approaches. However as time marched on, the…

Read More

Securing the IoT for Decades to Come

In 2007 Kevin Kelly gave a TED talk in which he forecasted how the World Wide Web would lo 5000 days into the future, prophesizing the emergence of the IoT and AI. He envisioned a connected planet where all manufactured goods tap into a single, global, intelligent network. At the time, the Internet of…

Read More

Review of Approov for Mobile API Security

Unfortunately, the reality of mobile apps is that at some point, someone is going to try to do something they’re not allowed to. Whether this is through brute-forcing keys, spoofing identities, or simply issuing distributed attacks across the application’s server dependencies, the threat to public-facing APIs in the mobile space is real, dangerous, and often…

Read More

How to Handle Batch Processing with OAuth 2.0

Recently on the Nordic APIs channel we’ve had a few people ask — how do you handle batch processes that are secured with OAuth 2.0? Batch requests are ones executed automatically or programmed to repeat recurringly. Usually we use OAuth to confirm user identity for API calls, but the problem is that OAuth 2.0 isn’t…

Read More

api security

API Security: The 4 Defenses of The API Stronghold

This article aims to bolster your API defenses by outlining the four foundations of API security: Authentication, Authorization, Federation, and egation. At one point or another, your secure resources will be attacked. This is the unfortunate reality of the modern era, where the skills necessary to invasively crack open a system, network, or API are commonplace than ever.

World War API: Understanding the Enemy

The virtual world stage is ever evolving, and unfortunately, the physical conflicts of yesterday are quickly becoming the digital conflicts of today. States, groups, and individuals are poised to wage digital warfare for a variety of political, economic, and social reasons. And, as with any conflict, civilian data — and civilian architecture — are prone…

Read More

More posts on API Security

Sessions on API Security

Featured

OAuth and OpenID Connect Deep Dive
Travis Spencer - Twobo Technologies - September 2013

OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Twobo Technologies, will cram in as much about these two protocols as will fit into 25 minutes.

Integrating API Security Into A Comprehensive Identity Platform
Pam Dingle - Ping Identity. Nordic APIs World Tour 2015: May 11 - Copenhagen.

OAuth 2.0 and OAuth-based protocols are considered best practice in API Security – but what would those protocols look like as part of an overall Identity strategy? Pamela Dingle talks about the value proposition and best practices around integrating a standards-based API Security framework into an overall identity infrastructure initiative.

OpenID Connect and its role in Native SSO
Paul Madsen - Ping Identity - September 18-19 2013.

If widely adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Building a secure API
Travis Spencer - Twobo Technologies

Presented at Nordic APIs in Stockholm. Travis Spencer gives an overview of the techniques and technologies needed to launch a secure API.

More sessions on API Security

Ebooks on API Security

Securing The API Stronghold

Digital security is and a pressing concern. In the API and microservices world, the proper access management needs to be seriously addressed to ensure your digital assets are securely distributed. Nordic APIs has compiled our most vital advice into a single eBo. We out security stacks and workflows using modern technologies such as…

Read More