API security

Safeguard your API platform

Secure your API with impenetrable security mechanisms. Master the use of OAuth, OpenID, and more to embed identity management across the entire platform.

BLOG POSTS on API Security


5 Ways To Hack An API (And How To Defend)

API hacking is, unfortunately, part of the modern API landscape. Whenever you have resources exposed to the greater internet, those resources are going to be attacked in some way. Thankfully, half of the fight is just being aware of the threats against your API. Knowing that a threat exists and preparing your solutions ahead of…

Read More

8 Vital OAuth Flows and Powers

Daniel Lindau of Curity provides an overview of important OAuth flows and abilities The API space requires authorization in order to secure data – this is a given in the modern era. Accordingly, implementing the correct authorization system is vitally important, perhaps even important than the API it is meant to handle authorization for….

Read More

API Security: A Gateway To Heaven

Because they power applications used by hundreds, thousands, and even millions of people, security is hugely important when creating APIs. Despite this, perhaps due to their now outdated reputation as niche products “just for techies,” there can be a bit of an air of complacency around API security. In the past, we’ve written broadly about…

Read More

Benefits Of The DevSecOps Approach

If there’s one takeaway from the recent data security issues, it’s this — security is a paramount concern for any organization, large or small. That’s why it’s so confusing, then, to see so many organizations taking a lax approach towards security. It’s often seen as a secondary consideration, a last step, and because of this,…

Read More

9 Questions for Top-Level API Security Auditing

One of the most important things any API developer can realize is the fact that, as a data handler, they have some of the most important legal and moral requirements towards their data subjects of any technically oriented organization. The fact that consumers entrust developers with their data at all is predicated upon the idea…

Read More

Why API Security is More Important Than Ever

API Security: In Pursuit Of MASH Between the Cambridge Analytica incident at and the General Data Protection Regulation (GDPR) kicking in across Europe from the 25th of May, it’s safe to say that on security is set to take center stage like never before. A repercussion of all this for API developers is a…

Read More

Using OAuth Device Flow For UI-Incapable Devices

As the internet grows and devices become interconnected, authorization is becoming and complex. Early implementations of on services were easy to authorize against since they were tied to desktops, but modern authorization must consider varying environments, from mobile apps to IoT scenarios. Many of our new devices, such as smart TVs and…

Read More

High-Grade API Security For Banks

Financial institutions occupy a special zone for APIs largely because of how stringent the regulatory compliance rulesets are. The data that financial institutions leverage are protected wiy by a variety of regulatory ordinances, and as such, this data has to be stringently controlled, secured, and managed – hence why high-grade API security is such a…

Read More

3 Common Methods of API Authentication Explained

APIs handle enormous amounts of data of a wiy varying type – accordingly, one of the chief concerns of any data provider is how specifically to secure this data. The idea that data should be secret, that it should be unchanged, and that it should be available for manipulation is key to any conversation on…

Read More

Securing IoT Medical Devices

Securing Medical IoT Devices

The IoT (Internet of Things) is becoming part of our everyday life. We’re developing audio equipment that can use voice commands to process complex operations, light switches that schedule operations based on observed functionality over time, and even devices that we can use to automatically order supplies based on our consumption habits. While the IoT…

Read More

What is a JWT?

Why Can’t I Just Send JWTs Without OAuth?

A JSON Web Ten or JWT is an extremely powerful standard. It’s a signed JSON object; a compact ten format often exchanged in HTTP headers to encrypt web communications. Because of its power, JWTs can be found driving some of the largest modern API implementations. For many, the JWT represents a great solution that balances…

Read More

Top Insights From the 2017 Platform Summit

This week Nordic APIs hosted the Platform Summit, our largest conference to date. 400+ attendees and 60+ speakers arrived to a sold out event, jam-packed with the industry’s leading experts on web APIs. Our attendees represented 26 different countries, making this our most most global event ever. With tremendous growth slated for the API economy, we encouraged our…

Read More

How to Safely Throttle High Traffic APIs

Too much traffic can be a dangerous thing. To many application developers, this seems like a good problem to have – traffic is exactly what you want for your service, so accordingly, the the better. The simple truth is, however, that too much of a good thing can be very dangerous – and in…

Read More

Designing API Usage Guidelines For Bot Clients

In the spring of 2017, published a series of guiines for automated API users utilizing bots. These guiines were created to help control the intent, actions, and result of bots on the service. Accordingly, there was some discussion about just what these guiines did and didn’t do, and how valuable such a set of…

Read More

Security Points to Consider Before Implementing GraphQL

GraphQL is a very powerful query language that does a great many things right. When implemented properly, GraphQL offers an extremely elegant methodology for data retrieval, backend stability, and increased query efficiency. The key here though is that simple phrase — when implemented properly. GraphQL has had somewhat of a gold rush adoption, with…

Read More

oauth 2.0

OAuth 2.0 – Why It’s Vital to IoT Security

In this article we’ll explain why OAuth 2.0 is vital to IoT security. The internet is fundamentally an unsafe place. For every service, every API, there are users who would nothing than to break through the various layers of security you’ve erected. This is no small concern, either — in the US alone,…

Read More

Building With Open Standards Will Result in IT Longevity

In the initial years of the world wide web, much was innovated as it was needed — while the fundamentals were open and commonly agreed upon, the systems that used these fundamentals often were not. Innovation led to unique solutions, which led to the development of proprietary systems and approaches. However as time marched on, the…

Read More

Securing the IoT for Decades to Come

In 2007 Kevin Kelly gave a TED talk in which he forecasted how the World Wide Web would lo 5000 days into the future, prophesizing the emergence of the IoT and AI. He envisioned a connected planet where all manufactured goods tap into a single, global, intelligent network. At the time, the Internet of…

Read More

Review of Approov for Mobile API Security

Unfortunately, the reality of mobile apps is that at some point, someone is going to try to do something they’re not allowed to. Whether this is through brute-forcing keys, spoofing identities, or simply issuing distributed attacks across the application’s server dependencies, the threat to public-facing APIs in the mobile space is real, dangerous, and often…

Read More

How to Handle Batch Processing with OAuth 2.0

Recently on the Nordic APIs channel we’ve had a few people ask — how do you handle batch processes that are secured with OAuth 2.0? Batch requests are ones executed automatically or programmed to repeat recurringly. Usually we use OAuth to confirm user identity for API calls, but the problem is that OAuth 2.0 isn’t…

Read More

api security

API Security: The 4 Defenses of The API Stronghold

This article aims to bolster your API defenses by outlining the four foundations of API security: Authentication, Authorization, Federation, and egation. At one point or another, your secure resources will be attacked. This is the unfortunate reality of the modern era, where the skills necessary to invasively crack open a system, network, or API are commonplace than ever.

Tips and Tools for Debugging APIs

Tips and Tools for Debugging APIs

Benjamin Franklin once famously said “in this world nothing can be said to be certain, except death and taxes”. For the software developer, the saying should be amended to read “except death and taxes — and software bugs.” It’s an unfortunate fact that the very nature of software development, especially in the collaborative environments popular…

Read More

review of sapience API security auditing

Walkthrough of APIware’s Sapience API Security Validation Tool

These days, APIs need to be strong. They need to be versatile to change, and must triumph in the face of malicious schemes hackers use to disrupt core systems. But how does a provider consistently maintain security across their API platform, and consistently check to see that security is maintained throughout continuous code deployments? As…

Read More

API Keys ≠ Security: Why API Keys Are Not Enough

Despite the alluring simplicity and ease of utilizing API Keys, the shifting of security responsibility, lack of granular control, and misunderstanding of purpose and use amongst most developers makes solely relying on API Keys a poor decision. More than just protecting API keys, we need to program robust identity control and access management features to safeguard the entire API platform….

World War API: Understanding the Enemy

The virtual world stage is ever evolving, and unfortunately, the physical conflicts of yesterday are quickly becoming the digital conflicts of today. States, groups, and individuals are poised to wage digital warfare for a variety of political, economic, and social reasons. And, as with any conflict, civilian data — and civilian architecture — are prone…

Read More

API Security: Deep Dive into OAuth and OpenID Connect

OAuth 2 and OpenID Connect are fundamental to securing your APIs. To protect the data that your services expose, you must use them. They are complicated though, so we wanted to go into some depth about these standards to help you deploy them correctly. OAuth and OpenID Connect in Context Always be aware that OAuth…

Read More

How To Control User Identity Within Microservices

Everyone’s excited about microservices, but actual implementation is sparse. Perhaps the reason is that people are unclear on how these services talk to one another; especially tricky is properly maintaining identity and access management throughout a sea of independent services. Unlike a traditional monolithic structure that may have a single security portal, microservices pose many…

Read More

Maintaining API Security in a Continuous Delivery Environment

Continuous ivery is a hallmark of the modern development world. As tools have matured and the needs of the consumer have evolved, constant development and deployment have become the norm rather than the exception. With this increase in deployment, security has increased part and parcel. In this piece, we’re going to discuss how to maintain…

Read More

3 Unique Authorization Applications of OpenID Connect

If wiy adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Token Design for a Better API Architecture

Little details like tens can sometimes help structure complex API architectures. In this piece we’re going to have a lo at different architectures, and ultimately see how a better way to design tens can lead to a performant result. Consider the role of tens within two facets of API design, access control and data…

Read More

More posts on API Security

Sessions on API Security


OAuth and OpenID Connect Deep Dive
Travis Spencer - Twobo Technologies - September 2013

OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Twobo Technologies, will cram in as much about these two protocols as will fit into 25 minutes.

Integrating API Security Into A Comprehensive Identity Platform
Pam Dingle - Ping Identity. Nordic APIs World Tour 2015: May 11 - Copenhagen.

OAuth 2.0 and OAuth-based protocols are considered best practice in API Security – but what would those protocols look like as part of an overall Identity strategy? Pamela Dingle talks about the value proposition and best practices around integrating a standards-based API Security framework into an overall identity infrastructure initiative.

OpenID Connect and its role in Native SSO
Paul Madsen - Ping Identity - September 18-19 2013.

If widely adopted, OpenID Connect could transform identity control by enabling single sign-on, increasing information security, and helping to manage identity throughout the Internet of Things. Within this post, we’ll dive into these three use cases on using OpenID Connect to securely manage user identity.

Building a secure API
Travis Spencer - Twobo Technologies

Presented at Nordic APIs in Stockholm. Travis Spencer gives an overview of the techniques and technologies needed to launch a secure API.

More sessions on API Security

Ebooks on API Security

Securing The API Stronghold

Digital security is and a pressing concern. In the API and microservices world, the proper access management needs to be seriously addressed to ensure your digital assets are securely distributed. Nordic APIs has compiled our most vital advice into a single eBo. We out security stacks and workflows using modern technologies such as…

Read More