API Security

PSD2: An Open Concept in Banking Mandating the Use of APIs

By | Date posted: April 25, 2017

A revolution is occurring in European banking and APIs are leading the way.

Adopted in 2007, the Payment Services Directive (PSD) “provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU.” Legislated by the European Commission, the objective of the PSD “is to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State.”

To accommodate the rapid rise of new online payment providers – third-party payment providers (TPPs) – the European Commission proposed a revision in 2013. Building on the PSD’s key principles, PSD2 was ‘born’ to make payments safer and more secure, enhance consumer protection, foster innovation and promote competition while ensuring a level playing field for all payment service providers.

In force since 2016, EU Member States must implement PSD2 by January 2018.

Read more

Authentication and Authorization: Reducing The Risk While Still Enabling Collaboration

By | Date posted: September 14, 2015

At the World Economic Forum held in Davos Switzerland last January, Cisco CEO, John Chambers warned, “The number of security incidents this year will be exponentially greater than last year”. If Mr. Chambers’ words did not raise a big red flag with all developers, then the events of the past few months should. Not only are such incidents more common, they are becoming more disruptive.

Read more

OPM Breach Proves Einstein Cybersecurity Not Enough

By | Date posted: June 8, 2015

It should come as no surprise to anyone that a major breach has occurred at OPM and took many months to detect. For far too long the cybersecurity industry has focused attempts at trying to understand a network through heuristics and analytics without the capability to enforce what the systems in the network are actually meant to do, and what information they are meant to receive and send. Read more

Keeping the “Internet of Things” Simple

By | Date posted: April 7, 2015

I once received a lengthy letter from a friend of mine that quoted the old adage, “I would have written a shorter letter, but I didn’t have the time.”

We often find in our lives that there is too little time to deal with so much stuff and information that we are barraged with each day, let alone managing it effectively. The so-called Internet of Things has the potential of crippling enterprise organizations who do not take the time to simplify now. However, by simplifying in two areas, they can save headaches caused by complexity in the future. Read more

Why Security Certifications Matter

By | Date posted: November 18, 2014

We recently announced that Forum Sentry is the first and only API gateway to attain compliance with the internationally recognized Network Device Protection Profile (NDPP) certification. We are also the only FIPS- and DoD-certified cloud integration technology in the industry. Now PP Compliant, Forum Sentry is the industry’s only API Gateway to achieve these certifications for technology that enables secure connectivity between users, applications and the cloud. 
Read more

Three Federated API Requirements for Enterprise Cloud Computing

By | Date posted: May 15, 2014

Successful enterprise API implementations are built on a set of localized, project-level efforts with services that have clearly identified and accountable business and technology owners. Ownership defines an API domain. Deciding what services are core to a business owner and should be implemented within the owner’s API domain versus consumed from a third-party API domain becomes a critical part of building a Federated API.

Read more

How Java™ Could Have Prevented Heartbleed

By | Date posted: April 29, 2014
Heartbleed

OpenSSL continues to cast a shadow over the IT industry’s poor choice of programming languages for developing secure software. Neils Ferguson and Bruce Schneier’s mantra, that using a programming language without protection against buffer overflows is tantamount to criminal negligence, is a continuous reminder of memory related security bugs that plague our industry. Read more

OpenSSL Security Vulnerabilities and other C-based Risks

By | Date posted: April 11, 2014

One of the most significant OpenSSL security vulnerabilities is the latest Heartbleed OpenSSL security flaw (CVE-2014-0160). This OpenSSL security vulnerability is again a re-affirmation that usage of C-based security modules by an enterprise company greatly increases its risk posture. You can be certain that IT security folks out there felt that they were making the right architectural decisions to secure the enterprise. The problem isn’t the intent, the problem is the premise. Applications, wrapped in security band-aids , is not a sound enterprise risk mitigation strategy. Sure, Apache and OpenSSL are widely available and have been around for a long time, but look where it has led us.

Read more