“…Application programming interfaces (APIs) — or sets of instructions that allow apps to interact with one another — are popular because they reduce coding time, serve as a consistent baseline for many apps, and help spur innovation.
But, as with many things in life, they have a downside: More and more, we see APIs targeted as some of the most vulnerable points of modern infrastructure. In August 2017, for example, reporters revealed that hackers had exploited an unauthenticated API on the Panera Bread website to leak the personal data of 37 million customers.
The problem, according to Jason Macy, CTO of Forum Systems, is that lightweight API gateways and software-based identity enforcement points aren’t purpose-built to protect API endpoints or the technology serving integration points.
Forum Systems will be exhibiting at API World 2019 at Booth #115 taking place at the San Jose Convention Center | San Jose, CA October 8-10, 2019
“…government is a sector that already takes API security extremely seriously. Governments need APIs to connect together their vast numbers of IT systems and data stores, and to provide their workforces with modern user interfaces, and mobile access. Without APIs, the task would be impossibly expensive. Without API security, sharing data and connecting applications would be too risky.” – Stephen Pritchard Moderator, Infosecurity Magazine
The UK Biometrics Service typifies the type of deep integration possible through APIs.
The Home Office systems hold 120 million biometric records and supplies services to over 50 organizations and 45,000 users, in the UK and overseas. Each year the service handles four million visa applications, six million passport applications and six million border checks. That is in addition to providing fingerprint data to police forces…
“The Forum Sentry API Security Gateway goes beyond access control and deep into security, monitoring all the connections that it forms between systems and enforcing very granular security policies.” — John Breeden II, IDG.
One thing that makes Forum Sentry so powerful is the fact that almost every conceivable legacy protocol and program type has been built into the appliance. This makes is possible to do things like control a legacy application using an iPhone, which was not even conceived, much less invented, when the legacy application was created. Forum Sentry handles the access controls on both ends, translating requests and commands so that each part can communicate. For organizations with legacy technology that they don’t want to overhaul, Forum Sentry could offer a less cumbersome solution to bring it into the modern age….
“Product vs toolkit – What’s the difference when it comes to API and IAM security? Jason Macy, CTO at Forum Systems explains the difference between toolkits, agents, and adapters versus purpose-built security products.
The issue is that API and IAM technologies are toolkits based on frameworks, and adapter-based solutions. Marketing for API toolkits and IAM toolkits tout security features which state terms such as ‘encryption’ and ‘access control’ to lull customers into complacency. By stating security over and over, customers believe they are safe. In fairness, the toolkit vendors are not to blame since their marketing is driven out of the need to placate their customers’ concerns about security. As the cyber-threats continue to evolve, so does the marketing speak.
As IAM and API toolkits, frameworks, and adapter-based solutions continue to claim to be security products, customers must look beyond the marketing statements to understand the difference between a security product and a toolkit.
eWEEK has started a new IT products and services section that encompasses most of the categories that they cover on their site. In it, they spotlight the leaders in each sector, which include enterprise software, hardware, security, on-premises-based systems and cloud services.
Forum Sentry API Security Gateway enables enterprises and government organizations to create code-free APIs that secure access to complex enterprise applications.
We invite you to download and read our CTO Jason Macy’s article featured in Network Security
In this era of hyper-connectivity, where almost every app or application relies on communication to a server or database somewhere, it has become harder than ever to secure an organisation’s systems, data and business-critical processes. Most of the major technology trends that have shaped IT over the past few decades – such as cloud computing, BYOD, IoT and even social media have resulted in more people and entities connecting to corporate IT assets than ever before.
Most of the major technology trends of the past few decades have resulted in ever-greater numbers of connections to corporate IT assets.
At the heart of these connections are application programming interfaces (APIs) that underpin almost every interaction or process and these have quickly become a prime target for attackers. Yet despite their growing prominence, they have largely remained the sleeping giant of our technology-led world, attracting too little attention when it comes to security
API security: A modern-day gold rush? Read what our CTO Jason Macy has to say about it in SC Magazine UK.
The problem with a bolt-on approach to API security is that these API frameworks and toolkits are inherently insecure by definition and were never designed with security in mind, but rather designed for integration.
APIs (Application Programming Interfaces) exist to allow enterprises to make their key resources available to developers, mobile apps, consumers and other companies. They are one of the main ways that technology companies integrate with each other and act as the gateways to all types of functionality. Think of them as being like the plug that goes into an electric wall socket – they provide a standardised way to access the power of an application.