Archives Forum Systems

API Security Critical to Federal IT Modernization Strategy

By | Date posted: December 5, 2018

 

…As Federal agencies seek to incorporate an application programming interface (API) strategy into their IT modernization initiatives, a word of caution: make sure you have API-specific security integrated into your IT infrastructure.

 

“Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities,” according to the OWASP report..

OWASP has identified five key steps for protecting APIs. The organization recommends that agencies should fully understand the threat model and what defenses they have in place, especially as it concerns the often overlooked APIs that are tying everything together. Their specific advice can be broken down into five major points. They include:

  1. Ensure that you have secured communications between the client and your APIs.
  2. Ensure that you have a strong authentication scheme for your APIs, and that all credentials, keys, and tokens have been secured.
  3. Ensure that whatever data format your requests use, that the parser configuration is hardened against attack.
  4. Implement an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references.
  5. Protect against injection of all forms, as these attacks are just as viable through APIs as they are for normal apps.

Read full article in Meritalk

Public Cloud API Security Risks: Fact or Fiction?

By | Date posted: November 28, 2018

 

…Most cloud services use multi-tenant API gateways (meaning shared across different customers and applications) to identify and verify users, as well as to act as the single point of entry across many disparate APIs.

There is an obvious problem here in that the very location that is designed to share information is also the same place that needs to be most highly protected and secured.

The growth in the public cloud worldwide shows no sign of slowing down, with the market predicted to be worth around 160 billion U.S. dollars by 2020. And this trend has become even more widespread in the UK since the introduction of the Government’s Cloud First policy in 2013, which aims to make the cloud the default choice for a variety of computing services. While the UK Government’s Austerity Programme has had some effect on take up, the overall trend is still consistent. Many UK departments have already made this decision based on risk management assessments.

Migration to the cloud essentially means moving sensitive government data to a third-party infrastructure and often relying on that third party for security.

Read full article in Computer Business Review

Public cloud API security: How safe is our data?

By | Date posted: November 21, 2018

 

…APIs let applications (and devices) seamlessly connect and communicate. An API can create a seamless flow of data between apps and devices in real time.

ProgrammableWeb, a site that tracks more than 15,500 APIs, lists Google Maps, Twitter, YouTube, Flickr and Amazon Product Advertising as some of the most popular ones. APIs allow you to order pizza, book a hotel room, check the weather forecast, rate a book, or download a song. APIs make the interactivity that we expect on the internet happen – and at a lightning quick speed.

The reason APIs have become the centre point of innovation for the cloud is that they represent a consistent, standards-based means of communicating, and thus allow companies to more easily adopt APIs regardless of the disparate technologies in their architecture.

Since APIs allows simplified connection to applications and services, essentially acting as a door that anyone with the right key can enter, they also present a heightened cybersecurity risk. Most cloud services use API gateways to identify and verify users, and to act as the single-entry point into the service so, of course, this is the main focus of attack for most hackers. As APIs are connectors to the cloud, they are a veritable ‘all-you-can-eat buffet’ for hackers who seek to compromise APIs to gain access to sensitive data for fraud, theft or even blackmail…

Read full article in IT Pro Portal

2014-2018 – Has API Security Changed? Yes and No.

By | Date posted: November 15, 2018

Application programming interface (API) security remains a hugely overlooked issue, but Forum Sentry remains on top of its game. Let’s take a trip down memory lane from one glowing 2014 SC Magazine review, to our latest radiant review from CSO’s John Breeden.

2014

Let’s set the scene. The Pharrell Williams song “Happy” was topping the charts, the last season of Mad Men premiered, Kim Kardashian attempted to break the internet (seems to still be running on our end), and everyone was going crazy over the new iPhone 6 #Bendgate.

In the API security world, it was also the year of “The Snappening.” Hackers attacked third-party applications that connect to Snapchat via an unsecured API. The result: 90,000 photos that were presumed to be deleted were leaked. This was the cherry on top of a sad Snapchat sundae – earlier that year, hackers stole millions of Snapchat usernames and phone numbers.

2018

The year isn’t over quite yet, but some of the top pop culture stories have included the rise and fall of SNL’s Pete Davidson and chart-topper Ariana Grande’s engagement (as well as who gets to keep Piggy Smallz), spoilers and speculation surrounding Avengers: Infinity War made their way around the internet, and as of last week, the man who played Big Bird and Oscar the Grouch for nearly 50 years retired.

Surely, we’ve learned to secure our APIs by now, right? Despite Google’s acquiring of the Apigee API Management Platform and handsome spending for a Gartner Magic Quadrant dot,  Google+ is back in the headlines after an announcement that effectively put the final nail in the social platform’s coffin. In addition to shuttering the service, Google announced that an API bug exposed the details of 500,000 users. Oh, and Google chose not to disclose the breach for six months. Perhaps Google is wishing they had listened to our repeated warnings that API Management is not API Security.

So, what have we learned?

It sure doesn’t seem like much, but the good news is that API security awareness is on the rise. It’s largely due to the increased number of high-profile hacks hitting the headlines, but better late than never, right? API developers are focusing in on discovering and analyzing how customers are interacting with their APIs, and API security is moving from an afterthought to a key part of the development process.

As John Breeden writes, “The unsung hero of today’s modern networks is the API, the tiny programs and protocols that act as the bridges bringing users, networks, systems and information together.”

We couldn’t agree more, which is why we designed the Forum Sentry API Security Gateway with security in mind to help your company stay out of the data leak headlines.

So, does Forum Sentry still live up to its 2014 SC Magazine review? CSO seems to think so. Here are some of the highlights from John’s 2018 Forum Sentry review:

  • Easy Install: “Installing Forum Sentry is relatively easy… Administrators simply need to point programs at the gateway and define what types of connections are allowed.”
  • API Management: “The Forum Sentry API Security Gateway from Forum Systems takes a novel approach, using an appliance to link everything from modern to legacy systems, while also hardening and monitoring those connections to keep them free from compromise or tampering. And, by protecting the APIs and enforcing security policies on those connections, it can also protect the core network.”
  • Visualization: “Examining every aspect of a security policy can be done from within the main console, where a graphical interface makes all the interactions easy to comprehend and visualize.”
  • Powerful Single Sign On: “One thing that makes Forum Sentry so powerful is the fact that almost every conceivable legacy protocol and program type has been built into the appliance. The Forum Sentry API Security Gateway’s access control abilities are impressive, but it goes beyond access control and deep into security, monitoring all those connections that it forms and enforcing very granular security policies. It can even be used as part of a single sign on program, since it can control all aspects of connectivity and user access. Any organization with a large network can find a good use for Forum Sentry to help protect their APIs, connections and users.”

Want to learn more? Reach out to info@forumsys.com to discover what the unique qualifications of the Forum Sentry API Security Gateway can do for your organization to secure your APIs (and your API Management Platforms) once and for all.

 

What’s in a (Security) Name? Turns Out, Plenty

By | Date posted: November 7, 2018

“Who would claim to be that who was not? Hmm?”

This iconic rhetoric, from the 1987 film, “The Untouchables,” was delivered by Sean Connery’s street-wise policeman Jim Malone when he first meets Kevin Costner’s principled treasury officer Eliot Ness.

The highlight reel: Ness was upset that Malone didn’t investigate him further after discovering Ness, who identified himself as a treasury officer, was carrying a concealed weapon. As fans of the film know, the two ultimately form the titular group – The Untouchables – to battle Robert DeNiro’s Al Capone in 1930s Chicago.

While powerful movie dialogue, the answer to the question in the real-word is “plenty.” Vendors are constantly bombarding us with claims that users need to examine thoroughly instead of accepting as gospel.

In the consumer realm, Consumer Reports is a reliable ally. The nonprofit watchdog organization is a steadfast proponent of consumer self-education and frequently produces informative articles on how to decipher labels, particularly those that pertain to food products.

However, in the IT world, it can be more difficult to navigate vendor marketing-speak. That’s especially the case when it comes to security.

The ‘APIcenter’ of Modern Computing – and (In)Security

As we’ve discussed, APIs are the instrumental interconnection points – what we sometimes refer to as “the connective tissue” – of our modern computing architecture. A companion technology, Identity and Access Management (IAM), is also essential in providing the authentication and access control to APIs.

Enterprises understand APIs’ tremendous business value. Unfortunately, so do hackers.

2017 was a watershed year for API (in)security, and 2018 is shaping up to be even worse. High-profile incidents involving Reddit/Mailgun, Roku, Panera and, just this week, Google, continue to demonstrate that the security of APIs is a misunderstood and, far too often, unpracticed discipline.

Knowing (The Difference) is Half the Battle

To help security professionals implement a sound API and IAM security strategy, our CTO, Jason Macy, recently authored an Executive Insight column published in SC Media UK. In the piece, Jason cautions that “API security and IAM security…are starting to lose meaning by their association with vendor marketing that dilutes the definition of security.”

Further, he advises, “customers must look beyond the marketing statements to understand the difference between a security product and a toolkit” as well as frameworks and adapter-based solutions professing similar security claims. “Whereas a toolkit bolts on security” to an architecture that “is vulnerable to attack,” Jason continues, “an API or IAM security product is built with a secure, locked-down architecture with self-integrity checks to ensure the product itself is not able to be compromised.”

Emblematic of this distinction is the API Security Gateway. This technology, Jason states, is “where ‘Security’ means the literal, cyber-hardening of the Gateway product itself so that API and IAM enablement can be done securely and without risk of compromise.”

Last month, one of the central themes of Forum Systems’ annual London API Summit was examining the security shortcomings of toolkits, agents and adapters, and contrasting that with the comprehensive functionality of an API Security Gateway. Similarly, Director of Field Operations Greg DiFruscio also explored this topic in his “Combine API and IAM into a Simplified and Secure Architecture” session at API World 2018.

If you were unable to attend one or both of those events and would like to learn more, please contact us at info@forumsys.com.

 

 

APIs: Risks, Potential and Security Solutions

By | Date posted: November 1, 2018

 

“…government is a sector that already takes API security extremely seriously. Governments need APIs to connect together their vast numbers of IT systems and data stores, and to provide their workforces with modern user interfaces, and mobile access. Without APIs, the task would be impossibly expensive. Without API security, sharing data and connecting applications would be too risky.” – Moderator, Infosecurity Magazine

The UK Biometrics Service typifies the type of deep integration possible through APIs.

The Home Office systems hold 120 million biometric records and supplies services to over 50 organizations and 45,000 users, in the UK and overseas. Each year the service handles four million visa applications, six million passport applications and six million border checks. That is in addition to providing fingerprint data to police forces…

….

Read full article on InfoSec Online

 

CSO Review: Protecting API Connections with Forum Sentry

By | Date posted: October 19, 2018

 

“The Forum Sentry API Security Gateway goes beyond access control and deep into security, monitoring all the connections that it forms between systems and enforcing very granular security policies.”  — John Breeden II, IDG.

One thing that makes Forum Sentry so powerful is the fact that almost every conceivable legacy protocol and program type has been built into the appliance. This makes is possible to do things like control a legacy application using an iPhone, which was not even conceived, much less invented, when the legacy application was created. Forum Sentry handles the access controls on both ends, translating requests and commands so that each part can communicate. For organizations with legacy technology that they don’t want to overhaul, Forum Sentry could offer a less cumbersome solution to bring it into the modern age….

Read full article in CSO Online

 

Product vs Toolkit – API and IAM Security

By | Date posted: September 11, 2018

 

“Product vs toolkit – What’s the difference when it comes to API and IAM security? Jason Macy, CTO at Forum Systems explains the difference between toolkits, agents, and adapters versus purpose-built security products.

The issue is that API and IAM technologies are toolkits based on frameworks, and adapter-based solutions. Marketing for API toolkits and IAM toolkits tout security features which state terms such as ‘encryption’ and ‘access control’ to lull customers into complacency. By stating security over and over, customers believe they are safe. In fairness, the toolkit vendors are not to blame since their marketing is driven out of the need to placate their customers’ concerns about security. As the cyber-threats continue to evolve, so does the marketing speak.

As IAM and API toolkits, frameworks, and adapter-based solutions continue to claim to be security products, customers must look beyond the marketing statements to understand the difference between a security product and a toolkit.

Read full article in SC Magazine

 

eWeek- Forum Systems: Product Overview and Insight

By | Date posted: July 2, 2018

eWeek- Forum Systems: Product Overview and Insight

eWEEK has started a new IT products and services section that encompasses most of the categories that they cover on their site. In it, they spotlight the leaders in each sector, which include enterprise software, hardware, security, on-premises-based systems and cloud services. 

Forum Sentry API Security Gateway enables enterprises and government organizations to create code-free APIs that secure access to complex enterprise applications.

Read eWeek’s Product Overview of Sentry

 

How to build a secure API gateway – Network Security

By | Date posted: June 29, 2018

We invite you to download and read our CTO Jason Macy’s article featured in Network Security

How to build a secure API gateway 

In this era of hyper-connectivity, where almost every app or application relies on communication to a server or database somewhere, it has become harder than ever to secure an organisation’s systems, data and business-critical processes. Most of the major technology trends that have shaped IT over the past few decades – such as cloud computing, BYOD, IoT and even social media have resulted in more people and entities connecting to corporate IT assets than ever before.

Most of the major technology trends of the past few decades have resulted in ever-greater numbers of connections to corporate IT assets.

At the heart of these connections are application programming interfaces (APIs) that underpin almost every interaction or process and these have quickly become a prime target for attackers. Yet despite their growing prominence, they have largely remained the sleeping giant of our technology-led world, attracting too little attention when it comes to security

Download the article