Jaime Ryan

Jaime Ryan

Jaime Ryan is the Partner Solutions Architect at Layer 7 Technologies. Jaime has been building secure integration architectures as a developer, architect, consultant and author for the last 15 years. He lives in San Diego with his wife and two daughters.

January 3rd, 2014

Snapchat Snafu!

Snapchat Logo

When the folks at Snapchat recently turned down an acquisition offer of three billion dollars, I have to admit I was shocked by their incredibly high estimation of their own importance. After all, half of their “secret sauce” is an easily-reproducible photo sharing app; the other half is the fact that their users’ parents haven’t discovered it yet. I’ll admit a bit of jealousy and the fact that my age starting with “3” makes me demographically incapable of understanding the app’s appeal. However, what I do understand is that a frightening disregard for API security might have jeopardized the entire company’s value. Loss of user trust is a fate worse than being co-opted by grandparents sharing cat pictures.

While Snapchat does not expose its API publicly, this API can easily be reverse engineered, documented and exploited. Such exploits were recently published by three students at Gibson Security and used by at least one hacker organization that collected the usernames and phone numbers of 4.6 million Snapchat users. Worse, the company has been aware of these weaknesses since August and has taken only cursory measures to curtail malicious activity.

Before we talk about what went wrong, let me first state that the actual security employed by Snapchat could be worse. Some basic security requirements have clearly been considered and simple measures such as SSL, token hashing and elementary encryption have been used to protect against the laziest of hackers. However, this security posture is incomplete at best and irresponsible at worst because it provides a veneer of safety while still exposing user data to major breaches.

There are a few obvious problems with the security on Snapchat’s API. Its “find friends” operation allows unlimited bulk calls tying phone numbers to account information; when combined with a simple number sequencer, every possible phone number can be looked up and compromised. Snapchat’s account registration can also be called in bulk, presenting the opportunity for user fraud, spam etc. And finally, the encryption that Snapchat uses for the most personal information it processes – your pictures – is weak enough to be called obfuscation rather than true encryption, especially since its shared secret key was hard-coded as a simple string constant in the app itself.

These vulnerabilities could be minimized or eliminated with some incredibly basic API Management functionality: rate limiting, better encryption, more dynamic hashing mechanisms etc. However, APIs are always going to be a potential attack vector and you can’t just focus on weaknesses discovered and reported by white hat hackers. No security – especially reactive (instead of proactive) security – is foolproof but your customer’s personal data should be sacrosanct. You need the ability to protect this personally-identifiable information, to detect when someone is trying to access or “exfiltrate” that data and to enable developers to write standards-based application code in order to implement the required security without undermining it at the same time. You need a comprehensive end-to-end solution that can protect both the edge and the data itself – and which has the intelligence to guard against unanticipated misuse.

While our enterprise customers often look to the startup world for lessons on what to do around developer experience and dynamic development, these environments sometimes also provide lessons in what not to do when it comes to security. The exploits in question happened to divulge only user telephone and username data but large-scale breaches of Snapchat images might not be far behind. When talking about an API exposed by an enterprise or governmental agency, the affected data might be detailed financial information, personal health records or classified intelligence information. The potential loss of Snapchat’s $3 billion payday is serious to its founders but lax enterprise API security could be worse for everyone else.

CA’s line of API security products – centered around the Layer 7 API Management & Security Suite for runtime enforcement of identity management, data protection, threat prevention and access control policies – can help you confidently expose enterprise-class APIs to enable your business while preventing the type of breach experienced by Snapchat, among others.

December 10th, 2013

Layer 7 at Gartner AADI Las Vegas 2013

Gartner AADI 2013Last week, I attended the Gartner Application Architecture, Development & Integration Summit in Las Vegas for the third consecutive year. Aside from the cool alumni sticker on my attendee badge, returning annually to this conference also provides a really interesting touch-point with a familiar cross-section of potential (and existing) customers.

In past years, talking to other attendees during exhibit hours involved some amount of basic education around the value of APIs to enterprises, potential use cases and the need for security and management of those APIs. This year was a totally different experience, as there was no education necessary. Instead, I found these decision makers already informed – eager to implement or continue implementing their API strategies in order to achieve real-world mandates from their management and lines of business.

They told me about mobile initiatives requiring apps developed for customers, partners and/or employees; they talked about modernization of legacy infrastructure and a deeper embrace of hybrid cloud; they recognized the need for developer enablement and a shift toward continuous deployment. Most importantly for us, they recognized that APIs are essential to the successful deployment of each of these initiatives.

In a world quickly moving toward “software-defined everything,” they also acknowledged the importance of API security and management. Instead of asking why they would need our solution, they asked for differentiators in the marketplace and our latest innovations. I was happy to talk with them about the recently-released version 2.0 of our Mobile Access Gateway, which enables developers to focus on creating the best apps possible while maintaining an unprecedented level of end-to-end security from the native app to the enterprise datacenter.

We also talked about: advanced features in the latest releases of our Gateway and API Portal products; our unparalleled capabilities in security and integration; our recognition from analysts as leaders and innovators in the industry. And we talked about the future – what new technologies are being considered and how they’re going to transform the enterprise even further.

As 2013 comes to a close, this year is beginning to look like a turning point. This may be remembered as the year enterprises embraced the API, leading to a broad range of innovative programs. We’ve seen massive consolidation and investment in our space, including our own acquisition. APIs have certainly joined the mainstream. Now it’s time to see what great things we can help our customers accomplish. I’m really looking forward to 2014!

September 5th, 2013

5 Pillars of API Management

Written by
 

5 Pillars of API ManagementLayer 7’s series of free eBooks continued recently with our take on the 5 Pillars of API Management. This eBook – which has been getting some great feedback – covers the what, why and how of core API Management concepts like API exposure, security, access control, lifecycle management and developer engagement. Our goal is to provide a high-level overview of each category with some key takeaways; deeper information is available from a link in each section.

These resources have been distilled down from years of work in the field with customers seeking to securely expose data and applications to partners, cloud services or mobile devices. The process begins with API exposure but very few of our customers are starting from scratch – they have existing data residing in SOAP services or trapped in legacy systems. We discuss the reasons behind – and methods for – converting these services to RESTful API interfaces. We get into the various types of API threats and why security – including flexible content inspection and filtering – is of the utmost importance. And we cover bridging modern access control models like OAuth to existing enterprise IAM and SSO frameworks.

Managing the performance, lifecycle and adoption of APIs is just as important to API Management as secure exposure is. An API without developers is a tree in the forest with nobody to hear it fall – it may make a noise but who cares? And it’s impossible to engage developers without a highly-available, optimized, user-friendly, well-managed API. This includes both the technical interface and the methods for service discovery, testing, documentation and community building. We delve into the must-haves when it comes to availability, engagement and education.

Read the eBook: 5 Pillars of API Management

Our API Academy is out in the field, discussing many of these same topics at API Workshops near you. I’ll be in San Antonio and Los Angeles next week, talking about the business of APIs before Mike Amundsen gets into his fantastic content around API design, developer experience, DevOps and related challenges. Hope to see you there!

April 16th, 2013

Webinar Tomorrow: How to Choose the Right API Management Solution

Written by
 

API Management WebinarOn Wednesday morning, Layer 7 will be hosting a webinar on How to Choose the Right API Management Solution. There are many solutions that cover one or two aspects of API Management – just a portal or just a Gateway or just access control. However, a truly comprehensive API Management platform needs to provide a broad range of functionality in the management of four distinct areas: identity, developers, interfaces and operations. We’ll delve into each of these areas and discuss what to look for from your solution.

We’ll also talk about the “-ilities” of an API Management platform: scalability, manageability, extensibility etc. We will illustrate each of these with a real-world Layer 7 customer example. You’ll see why these and other non-functional requirements matter just as much as the solution’s technical capabilities.

So, please join me and Layer 7 Product Manager Dana Crane as we discuss these key API Management criteria tomorrow. There will be time for questions – both technical and conceptual – and all attendees will receive a free copy of the recently-published Forrester Wave for API Management Platforms. See you tomorrow!

Register now for How to Choose the Right API Management Solution >>

February 6th, 2013

The Forrester Wave: API Management Platforms, Q1 2013

The Forrester Wave API Management Platforms Q1 2013Earlier this week, Forrester Research, Inc. released The Forrester Wave: API Management Platforms, Q1 2013. This report addresses products targeted at several different audiences including API business owners, technical administrators and application developers consuming APIs. We’re proud to announce that the Layer 7 API Management Suite has been recognized as a Leader in the category, with some significant distance between ourselves and our peers.

What I’m most proud of is our consistently high marks in every category; we have worked hard to make sure that our products provide both ease-of-use and deep functionality. The developer experience is just as important to us as the rich integration capabilities provided to technical architects and API administrators. And comprehensive business analytics for API owners are just as important as the availability and security features required by enterprise operations teams. Our scores reflect this breadth of solution strengths.

What might be more difficult to reflect in an “Emerging Market” Wave is product depth – and this is another area where Layer 7 shines. Enterprise customers value our flexibility in deployment options, our support for numerous message formats/protocols, our rich identity framework and our long list of security certifications gained through exhaustive testing and evaluation by some of the most demanding organizations and standards bodies in the industry. Our customers have long recognized Layer 7 as a Leader in this category and we thank Forrester for validating this with the first major analyst evaluation of API Management vendors.

Layer 7 had a similar previous showing in The Forrester Wave: SOA Application Gateways, Q4 2011, in which the company was also recognized as a Leader. This successful heritage is noted by Forrester in the new Wave, which states that “Technical adopters will find a lot of depth to Layer 7’s service management capabilities, including a variety of deployment options, sophisticated traffic shaping and routing capabilities, and extensive connectivity to existing enterprise systems.” By bringing these strengths to bear on the API Management industry, Layer 7 offers an IT-friendly option for enabling all open enterprise API use cases, including access to partners, developers, mobile apps and cloud platforms.

Get a complimentary copy of The Forrester Wave: API Management Platforms, Q1 2013