API Management for IoT: What's New

API Management for IoT: What’s New

Posted in

According to Statista, by 2030, there could be over 29 billion IoT-connected devices, with an expected steady growth of billions of devices per year.

One concern about this continuing increase in IoT is the tension between
individual privacy and law enforcement’s desire to track down criminal activity. IoT inventors need to consider the landscape of privacy and forensics. Whatever the stance, IoT producers must understand the potential usage of their devices and what device management they need to perform now — and potentially in the future – should they either change their stance or attend to individual, forensics, or litigation demands.

Along with the proliferation of devices and demands comes internet traffic. Over half of API calls are from IoT devices, making management even more crucial.

Danger Lurks Around Every Corner

There’s a fairly new toolkit for sale to criminals on a private Telegram channel called AlienFox. This scanner “uses data-extraction scripts to search the misconfigured servers for sensitive configuration files commonly used to store secrets, such as API keys…”

Also relatively new is the NUIT (Near-Ultrasound Inaudible Trojan) attack, which “can launch silent attacks against devices powered by voice assistants.”

How might IoT device creators and maintainers push security, firmware, and software updates for new findings when managing IoT? Can the customers be assured that new vulnerabilities can be quickly and easily deployed? Are there proper APIs in place to enable such management? Companies should consider how API management might be performed in case of known and potential attacks (a lack of omniscience does not equate to a lack of forethought).

The Need for Secure Design

Properly managing IoT is serious business. So serious, in fact, that in the US, the Food and Drug Administration (FDA) has stated that, beginning October 1, 2023, all new medical device submissions must include cybersecurity details. “Developers must now design and maintain procedures able to show, with reasonable assurance, ‘that the device and related systems are cybersecure’ and create post-market updates and patches to the device and connected systems that address ‘on a
reasonably justified regular cycle, known unacceptable

Threat Modeling

Threat modeling is one method to help address these needs. It’s a traditional approach to figuring out how to design physical and virtual products to be fit for use, safe and secure, and meet required standards.

A couple of sources for understanding threat modeling include OWASP and SecurityZines. A simplified version of threat modeling based on the Threat Modeling
is as follows:

  1. Assess scope
  2. Identify risks
  3. Identify countermeasures
  4. Assess progress

In information security, it’s common to apply threat modeling only to how an application is coded. But it also applies to regulations and future customer demands, so it may help to call it Requirement Modeling for the current purpose of securing APIs and IoT. As I heard recently in a murder mystery TV show, consider all the contingencies.

In addition to typical threats such as DDoS, broken authentication, and injection, API design for IoT needs to include currently applicable regulations, best practices for the industries using the devices, potential customer demands based on the product department’s expertise, and potential and upcoming regulations noted by the compliance and legal departments.

Foundations First

Any structure needs to have a solid foundation. So, before embarking on what’s new, IoT API providers should ensure they have the foundations covered (this is in addition to the Requirement Modeling above). Here are some key areas to keep in mind.

API Inventory

Avoid API sprawl, zombie APIs, and shadow APIs by cataloging what you have. The rapid pace of API development, a benefit made possible by advancements such as low-code development, contributes to these issues, creating a double-edged sword.

Additionally, 37% of organizations update their APIs at least weekly, found Salt Labs. Because of this constant change, APIs are nearly impossible to document well, making quality API documentation more important than ever.


With so many devices connected to the internet, securing the API
endpoints that allow these devices to communicate with each other and
other systems is crucial.


IoT devices generate large amounts of data, and API management must
scale to handle increased traffic. APIs should be designed to employ
load-balancing techniques.


IoT devices often use different communication protocols, like MQTT and CoAP, and API management should be able to support them to enable seamless integration.

Monitoring and Analytics

Including monitoring tools that track API performance and detect real-time anomalies will help mitigate issues. This should include analytics capabilities to collect data on how APIs are being used and identify patterns that can be used to optimize API performance.

Versioning and Documentation

IoT devices and their APIs are often updated, and careful versioning should be used to ensure backward compatibility. These changes, along with keeping an up-to-date inventory, will require attention to detail.

Now that we have covered some best practices to keep in mind, let’s take a look at technology trends. Here are some of the latest advancements that IoT API management should take into consideration.

Edge Computing

Edge computing is becoming increasingly popular in IoT applications. This allows data to be processed closer to the source, reduces latency, and improves response times.

Machine Learning (ML)

ML improves API management for IoT by automating API discovery, security, and optimization tasks. ML algorithms leverage huge data sets generated by IoT devices to identify patterns and anomalies, leading to API performance and security optimization.

API Marketplaces

New business models and revenue streams are created when API management platforms integrate with API marketplaces, enabling developers to discover and use APIs from multiple providers.

API-First Design

API-first design emphasizes designing APIs before designing the underlying application. This approach is growing in popularity in IoT applications because it allows for greater flexibility and scalability during development.


Blockchain could be used in API management for IoT to improve security and data integrity. Blockchain technology can create a tamper-proof ledger of transactions between IoT devices to ensure secure and immutable data.

Low-Code Development

Low-code development platforms are becoming popular for developing IoT applications and systems. These allow developers to create applications and systems using visual interfaces and pre-built components, reducing development time and costs. A drawback to this approach is that even inexperienced developers can develop rapidly, creating more of a risk that the APIs grow too numerous and too quickly to be managed (refer to the “Inventory” section above).

“This Is the Way”

This now-famous proverb from a popular sci-fi series is apropos. Not that this article is “the way,” but API and IoT have created new venues for both new ideas and new problems. This means that keeping the tried-and-true foundations of product development and the tradition of looking ahead to consider potential changes remains as true as ever. Back to the basics lays the foundation for innovation.