Application Programming Interfaces (APIs) let developers use code that already exists in other apps to add features to their own apps. With APIs, they can develop new software more quickly — because they don’t have to write everything from scratch — and more easily create rich, connected experiences for users that span IT systems from multiple business partners.
The downside of using APIs is that each connection is a potential source of attack by hackers and other bad actors. With APIs often using public networks to connect with functions running in the cloud — and maybe more than one cloud — you can no longer simply throw up a secure perimeter around your IT systems to keep out attacks.
Here are 5 tips to create a secure API ecosystem:
1. Help developers easily find and use the best APIs
A good approach is to establish a self-service developer portal that allows developers to quickly search for and access the APIs they need to build their apps, while giving you control and visibility over exactly which APIs they’re using. You can use the portal to share APIs created internally, so your in-house solutions can be integrated into other systems, as well as use the portal to point your developers to the APIs for your authorised third-party software and cloud solutions. Alongside the APIs, the portal should also include documentation and sample code to make it easy for developers to start using each API.
2. Ensure APIs provide authentication for both end-users and applications
This will ensure that connections are only made by the people and systems that should be connecting. The de facto open standard for API security is the token-based OAuth. Many businesses apply OAuth using an API management platform that generates OAuth tokens, controls what tokens can do, and applies rules-based access controls based on user profiles.
3. Provide input validation
It's important to check that both incoming requests — especially data provided by users — and the responses that are being sent back match what’s expected. This will help to secure your systems against common forms of attack such as SQL injections.
4. Protect sensitive data
This should happen when the data is passed between the API and the requesting user or application, typically by creating an encrypted link using the TLS protocol.
5. Monitor and analyse API traffic
This will help you identify potential threats such as an API being overwhelmed by a DDoS attack. It can also help you understand whether you need to increase the resources on which the API runs if you’re seeing an increase in legitimate traffic. Finally, you can use it to identify new business opportunities, such as the chance to introduce a license for users who make more than a certain number of calls on an API-enabled service in a day.
Getting the balance right between making it easy for developers to use APIs to develop rich, connected experiences for users and ensuring that your API-enabled infrastructure remains secure is no easy task. In tandem with your developer portal, you should consider implementing an API management platform like Google Cloud’s Apigee, which will help you gain control over and visibility into the APIs you’re using, as well as make it easier to correctly implement complex security protocols like OAuth.
To find out more about how you can use APIs to power your business, read about some of the ways our customers are using APIs in their digital transformation projects or come and talk to the agile development experts in our Digital Transformation team.