Blog

Four Pillars of API Security

By | Date posted: August 18, 2017

API Security is complex! Vendors like Forum Systems, IBM, CA and Axway have invested almost 2 decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is essential for rapidly locking down APIs. In this article, we review “The Four Pillars of API Security” — SSL, Identity, Content Validation and Architecture.

API Security Stack

Before addressing the Four Pillars of API Security, it is essential to recognize that a robust PKI is a must for enterprise-grade API Security. Without proper key life-cycle management, the API Security Pillars cannot be built.

Once a solid PKI foundation is in place, an organization can build API Security Pillars on this foundation. Without a robust PKI foundation to stand on, API security pillars will collapse. With a solid foundation and strong pillars, a corporation’s API attack surface area is significantly reduced. To deploy API Security, we recommend the following four pillars:

Read more

API Security – Taking the plunge

By | Date posted: August 10, 2017

Dear Readers:

Forum Systems and the security community need your help in raising API Security awareness. Forum Systems has been at the forefront of API Security for over 16 years. Our relentless efforts in educating IT professionals on how best to expose their IT assets securely via APIs has paid off: OWASP has recognized API Security as a Top 10 vulnerability as a part of its 2017 Release Candidate 1 (RC1).

OWASP has finally dipped its toes into the API Security waters. The API waters run deep and can sink every enterprise IT component with security vulnerabilities that impact network devices, load balancers, application servers, ESBs, databases and even legacy mainframe systems. No component is immune since almost all components expose their functionality via APIs.

It is for this reason we are asking your help in reinforcing the need for API Security.

The OWASP 2017 RC1 includes A10 – Unprotected APIs. We believe that A10 should be ratified in the OWASP Top 10 2017 to ensure that API vulnerabilities are actively addressed by the security community.

You can help ratify A-10 in OWASP 2017 by:

For example, see the excellent and very polite discussion on the emphasizing XXE.

Thank you for your efforts, we look forward to continuing our work with security thought leaders and the API community in making enterprise and cloud APIs secure.

-Forum Systems

API Security and OWASP Top 10

By | Date posted: August 7, 2017

API Security and OWASP Top 10 are not strangers. Many years ago (circa 2009), we presented our test results on Techniques in Attacking and Defending XML/Web Services. Fast forward to 2017, OWASP has recognized API Security as a primary security concern by adding it as A10 – unprotected APIs to its list of top 10 vulnerabilities facing web applications. Forum Systems has been at the center of building solutions that address API Security and looks forward to further working with security thought leaders in making enterprise and cloud APIs secure.

API-Security
Read more

Cloud(ed) Judgment: OneLogin’s Breach Continues to Fuel the Security Debate

By | Date posted: June 26, 2017

When it comes to the next big data breach, it’s never a matter of if, but a discussion of when.

This time, the target was identity and access management firm OneLogin, which recently shut down its U.S. data center due to compromised Amazon Web Services (AWS) keys. With the company serving more than 2,000 enterprises across 44 countries, the incident has been referred to as a “massive leak” and once again raised questions about cloud security.

As we continue to learn, everything that the cloud represents is great… until it’s not.
Read more

The President’s New EO Gets the Gist of NIST

By | Date posted: June 8, 2017

President Trump introduced his long-awaited Cybersecurity Executive Order last month. While some focused on its similarities to EO 13636 issued by the Obama administration more than four years earlier, we were more concerned with, and quite frankly, excited by, the fact that it (rightly) cast a renewed spotlight on the National Institute of Standards and Technology (NIST) Framework.

Read more

Trust, but Verify: The Missing Link in IAM

By | Date posted: May 18, 2017

Identity and Access Management (IAM) is well-entrenched in enterprise and government infrastructures.

However, in our API-driven world, merely establishing a “trusted user” – e.g., a device or a person – and granting them access to information provides an incomplete security profile. Lacking the ability to inspect the bidirectional flow of data traversing our modern computing architectures, IAM technologies cannot answer the two most critical questions about trusted users:

What information are they bringing into the network?

What information are they removing from the network?

Read more

PSD2: An Open Concept in Banking Mandating the Use of APIs

By | Date posted: April 25, 2017

A revolution is occurring in European banking and APIs are leading the way.

Adopted in 2007, the Payment Services Directive (PSD) “provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU.” Legislated by the European Commission, the objective of the PSD “is to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State.”

To accommodate the rapid rise of new online payment providers – third-party payment providers (TPPs) – the European Commission proposed a revision in 2013. Building on the PSD’s key principles, PSD2 was ‘born’ to make payments safer and more secure, enhance consumer protection, foster innovation and promote competition while ensuring a level playing field for all payment service providers.

In force since 2016, EU Member States must implement PSD2 by January 2018.

Read more