The emergence of the Application Economy, where the application becomes the primary point of contact between the business and the customer, is made possible through the use of Application Programming Interfaces (APIs) to link front-end applications to back-end information systems. But many of the security threats that plague the web can be even more of a problem for APIs. This presentation explains the potential risks of APIs and highlights the three most common forms of attack. The SlideShare is based on a recent eBooklet published by Scott Morrison of CA, Five Simple Strategies for Securing Your APIs http://bit.ly/1rjEhBd, which not only goes into much greater detail on the threats but lays out five simple steps that organizations should be taking today to reduce their risk.

1. How Risky Are Your APIs?

2. Application Programming Interface (API) use is exploding!
• 12,000 public APIs and growing
• Companies are discovering
how powerful APIs can be
for integrating applications, especially in mobile apps.
• http://www.programmableweb.com/

3. APIs are everywhere
• It is APIs that enable people to share photos
and other social updates between Instagram,
to Foursquare, to Facebook, to Twitter

4. APIs are good for business
• APIs drove $2 billion in business for Expedia by securely
exposing valuable content to its affiliate network.
• Companies across all industries are rushing to create APIs that
leverage their own core applications, data, and content.
• http://www.zdnet.com/blog/identity/billions-of-api-calls-traversing-
web-redefining-software/493a

5. APIs empower an ecosystem of third
party developers
• … who create new apps and revenue streams
you might never have thought of.

6. But there are hidden dangers to using
APIs
• APIs share many of the same threats that
plague the web… but APIs have a unique risk
profile that must be managed.

7. It is a mistake to think we can secure APIs
the same way we secure the web.

8. APIs are like windows into an
application
• … windows that allow legitimate developers
and hackers a direct view into the core
functionality and data residing in the heart of
the app.

9. In the web world …
• the website served as a barrier between the outside world and your
inside systems.
• People had to go through your web application to get what they
needed, and they could only get what the website offered them.

10. With APIs, that barrier doesn’t exist.

11. Increased visibility isn’t the only risk
from APIs
• Increasing the number of potential calls also
increases the attack surface, meaning that a
hacker simply has more to exploit.
• Risk increases with opportunity

12. There are three major attack vectors
to watch for:
• Parameter attacks
• Identity attacks
• Man-in-the-middle attacks

13. Parameter attacks exploit the data
sent into an API
• That is — URL, query parameters, HTTP
headers, post content
• SQL injections are among the most common
parameter attack -- an old approach, but one
that many systems are still vulnerable to.

14. Identity attacks exploit flaws in
authentication, authorization, and
session tracking
• These flaws are often the result of migrating
bad practices from the web world into API
development.

15. Man-in-the-middle attacks involve an
attacker sitting between the sender
and receiver
• APIs that are not properly configured using
SSL/TLS are highly vulnerable to this form of
attack.

16. Five Simple Strategies to Secure your
APIs
• Although APIs are susceptible to a broad
range of attacks, applying just five simple
mitigation strategies will allow you to securely
publish APIs.
• Download the white paper “Five Simple
Strategies
to Secure your APIs” for the five steps you
should take now.
• Download Now