We published a new eBook: Identity and APIs!

FREE DOWNLOAD

Much of API security boils down to how you handle identity. In Identity and APIs, we discover the techniques to secure platform access and delegate identity throughout a mature API ecosystem. As enterprises invest heavily in web API strategies, they must rethink security, incorporating concepts like OAuth, OpenID Connect, and the API Security Maturity Model.

Download Identity and APIs for FREE without handing over an email. PDF, EPUB, and MOBI formats are available for direct download. It’s also available on Leanpub as well as Amazon Kindle for a small fee.

Travis Spencer, CEO of Curity, Co-Founder of Nordic APIs.

A Foreword by Travis Spencer

The other day, I rewatched the recording of my first-ever presentation at Nordic APIs’ inaugural event in 2013. In that, I discussed digital identity and its bearing on APIs. I pointed out that a new stack of security standards had emerged with the advent of OAuth, OpenID Connect, and SCIM. I ran through some flows and specs that I believed would shape API security for the coming decade, and advised listeners to abandon antiquated predecessors. From my first contribution to this community, I have sought to explain how important it is to know who is on the other end of the wire communicating with our APIs.

The next day, Bill Doerrfeld emailed me a manuscript of this ebook. The serendipitous timing struck me in two ways. First, this central, important intersection of digital identity and APIs continues to be paramount to all practitioners in the space. It is not surprising that 5 out of 10 of the most popular videos on the Nordic APIs YouTube channel are related to API security. This aspect of APIs is really challenging, and almost all deployments must overcome it. Secondly, we have come very far as a community. From that short 20 minute presentation to this and other ebooks, blog posts, presentations, and workshops flowing out of this community, we’ve made tremendous progress that has lifted not only this group but, I dare say, IT in general.

On behalf of myself and Curity, we are very pleased to be a part of Nordic APIs and contribute to this critical discussion. I believe that digital identity vis-a-vis APIs will continue to be a central theme in the API space for the coming decade. I think the nuances will change slightly, and that the standards will evolve. However, what we have today – the info covered in this book – will remain the underpinnings and requisite know-how. Digging into this ebook and the topics it addresses will be well worth the effort and rewarded for years to come.

I hope you enjoy reading the work of Bill and his team, and that this ebook deepens your understanding of this key intersection of identity and APIs!

If you like this topic, attend the companion event LiveCast: Identity and APIs, featuring Jacob Ideskog and David Stewart on the most pressing API security concerns for 2020.

Preface: Secure APIs With An Identity Focus

by Bill Doerrfeld

If you’re into building with APIs, you’re probably introducing new software architecture to bring scalability and efficiency advancements. But are you introducing new vulnerabilities as well?

Developers often don’t traditionally build from an external-facing viewpoint. But, in today’s cloud-native world of Bring Your Own Device and remote access, security is a more paramount issue than ever, even for internal systems. “If we don’t take these concerns early on, they will cause catastrophic problems later on,” warned Keith Casey in a recent Nordic APIs webinar.

Continual exploits demonstrate a lack of security maturity across the cloud industry, underscoring the need for more security forethought. To combat these prevalent issues, many cybersecurity experts now turn to identity. At Nordic APIs events, we’ve repeatedly witnessed speakers stress the importance of identity handling to mature API platforms at scale. As digital ecosystems evolve, so must access management strategies.

Authorization and authentication systems have changed significantly for microservices over the past few years. From HTTP Basic Auth, to API Keys, to OAuth 2.0. Now, experts view OAuth Scopes and Claims as the most mature form of API security. Centralized trust using Claims is “the place you want to get to in order to mature your API Security model,” says Jacob Ideksog of Curity. With this approach, authorization is uniform and reliable, and attack vectors (or room for honest mistakes) are significantly reduced.

In short, to plug security gaps, software architects must consider identity alongside an API strategy. So, to torchlight the identity fires, we’ve assembled the top relevant Nordic APIs articles on APIs and Identity.

We’ve organized APIs and Identity, into three parts:

1. Part One introduces basic concepts related to API security and identity. Familiarize yourself and see where you sit on the API Security Maturity Model.
2. Part Two dives deeper into OAuth flows, giving you the tools to see which is best for your scenario. See how other open identity standards like SCIM make this all possible.
3. Part Three looks at high-risk sectors where API security needs the most focus, arguing why an identity emphasis is so important in these areas.
   We’ve also linked to the original source for each article, so you can review the deeper conversations that many of these articles inspired.