NS (Dutch Railways) has about 5 fairly autonomous development groups that use api’s to deliver data to personnel on the train and to passengers. The first thought when going for a api-security-architecture was to define security controls/measures top-down and roll them out to the groups. Act like an information Security Officer.
After a visit to nearly all the groups I found that we were just starting with API’s: maturity was relatively low; when in need: find the solution on internet; we had few documented/shared standards.
Hence an exchange of knowledge and developing standards together would possibly be more important than an ill-fitting top-down security architecture. A vulnerable approach and the success factors is what I would like to share.
October 24, 2018 10:50