Experts say Hackers are also winning with APIs

By Kimball Brown

While the RSA 2015 Conference was going on, I chaired a panel for the IEEE, which put together a stunning panel of security experts. The objective of the panel was to explore the state of APIs across the industry and how effective they are in providing security and privacy for the users of the resulting products. The discussion centered on the explosion of new APIs resulting from the shift from Client/Server computing to Cloud/Mobile (with the added influence of current and upcoming IoT products), and whether the newer APIs were providing better security and privacy to users. Further, we explored how effective these APIs are and what should be done to make them more effective.

The following experts were on the panel:

  • Hadi Nahari, Chief Security Architect, NVIDIA
  • Bret Hartman, VP and CTO, Security Business Group, Cisco Systems, Inc.
  • Monique Morrow, CTO - Evangelist - New Frontiers Development and Engineering, Cisco Systems, Inc.
  • Scott Morisson, SVP and Distinguished Engineer, CA Technologies
  • Rob Zazueta, Director Platform Strategy, Mashery, an Intel Company
  • Cooper Quentin, Staff Technologist, EFF

The panel explored several topics during the two-hour discussion.

  • Have Flickr, Twitter and Facebook changed the face of APIs?These companies and others have proven that APIs are powerful in networking people, friends, families, co-workers, communities, governments and healthcare providers – and connect together the many aspects of our personal and professional lives.
  • Have Amazon, Dropbox and other eCommerce providers further changed perspectives about APIs?
    APIs became about much more than just about sharing products or social information.  Amazon has changed eCommerce. Dropbox enabled synchronized storage for a user’s devices.
  • How APIs helped AWS define architectural components like computing, storage, DNS and allow anyone to deploy new services.
    How APIs helped companies define new ways of doing business. Dropbox was able to avoid the cost, complexity and time needed to develop hardware infrastructure by using AWS as its infrastructure.
  • API policy becomes more important here. Handling pricing, terms of service, privacy policies etc., are critical legal building blocks.
  • How the abuse of APIs can destroy business models. Snapchat had promised that pictures posted would be erased in five minutes and was proven wrong after nefarious individuals cached the pictures and posted them for extended periods on Snapchat’s site.
  • Does IoT Driven development change everything?  As we look at home automation, smart grid and more, things become exponentially more complicated.  Yes, the panel agreed that complexity will explode.

APIs are more than just code / technology, they are a solution offering that require documentation, pricing, support and more.  They need an operations framework to be successful, safe, and are being rigorously developed, tested, launched and proactively managed. The panel mentioned that many companies do a great job of this, but some simply wing it in order to get products to market quickly.

Standards Groups and Regulation

We discussed whether the industry can be self-policing or whether Standards Groups like IEEE, ISOC, W3C and others, or the government regulations should produce validation suites or create laws forcing companies to do a better job of providing safe, secure APIs. The panel overwhelmingly stated that standards groups can help, but can also be overbearing, and new regulations would dramatically slow the pace of innovation hurting profits and keeping people from enjoying new products. Further, validation of APIs is only a snapshot in time as APIs are constantly shifting.

Looking into the Future of Security

We explored whether over the next ten years, will API development and the resultant security and safety improve enough to keep up with the ever more sophisticated tactics of intruders. Are the risks related to API associated breaches, hackings, etc. going to reduce over time, or will this get exponentially worse?

The panel overwhelmingly agreed that the hackers are getter better faster than the industry’s efforts to keep hackers at bay.  The entire panel agreed that there is no way for companies to provide complete certainty when it comes to the risk of security breaches stemming from APIs.  It has become a war where companies strengthen their security and hackers in turn find ways around it.

BlackRidge View on Securing APIs

While APIs are a significant source of breaches, there are other ways to ensure better security when using them. BlackRidge Transport Access Control (TAC) is a technology that works at the TCP network layer by enabling First Packet Authentication, which in turn, keeps intruders from knowing where critical resources are on the network. TAC is cryptographically secure, highly scalable and has been designed to work with and complement legacy networks, security infrastructure and applications. The unique, innovative principles upon which BlackRidge TAC is based allow for continuous, adaptive protection from evolving threat types. Organizations adopting BlackRidge TAC (with TCP/IP as the underlying transport) get a superior level of security that is transparent to developers and to the APIs, thus changing the current cyber-attack dynamic and giving themselves a distinct and lasting advantage.