Scott Morrison

Scott Morrison

Scott Morrison is the Chief Technology Officer at Layer 7 Technologies, providing the visionary innovation and technical direction for the company. He has extensive technical and scientific experience in a number of industries and universities, including senior architect positions at IBM. He is one of the four co-editors for the WS-I Basic Security Profile. Scott is a much sought-after author and speaker. He has published over 50 book chapters, magazine articles, and papers in medical, physics and engineering journals.

June 5th, 2014

The Need for Secure APIs in Retailing

Secure API RetailApplications in today’s retail industry are highly distributed and are generally connected by proprietary protocols. But trends toward expanding geographic distribution are driving increased demands for integration — and these demands are driving a greater use of application programming interfaces (APIs) in retail.

Retailers worldwide are under tremendous pressure to innovate faster and cycle through inventory as quickly as possible. Also, aggressively managing inventory supply chains is increasingly challenging because consumers have online access to competitive retail Web sites and can easily purchase products elsewhere.

“Showrooming” — the practice of examining merchandise in a traditional brick-and-mortar retail store but then shopping online to find a lower price for the same item — is placing increased margin pressure on retailers, particularly in countries like the US that have relatively low shipping costs.


Read more: 5 Simple Strategies for Securing APIs


Retailers are responding by accelerating inventory churns by gaining product visibility on partner Web sites and maximizing exposure of available inventory. The ability to quickly implement secure APIs that enable innovative merchandising opportunities and aggressive supply chain management can make the difference between success and failure in a highly competitive market.

Customers expect retailers to always have items they want in stock. For example, a customer who wants a sweater in a certain size and color will just shop elsewhere if that exact sweater is not available when he or she wants to buy it. Brand loyalty and repeat business are hurt by a failure of any link in the supply chain. APIs and the ability to accelerate integration with partner systems help retailers not only to increase merchandising opportunities but also to gain greater visibility over purchasing patterns and supply chain demands.

APIs can have an even greater impact on retail markets with products that have shorter shelf lives. While the clothing markets are aggressively deploying APIs, so too are retail markets that rely on perishable products, such as the food industry. Obtaining food products when needed and minimizing spoilage requires an information-centric approach to supply chain management. Food service retailers and grocery stores both depend on real-time information about product availability. In this context, innovative APIs into third-party applications can provide a competitive advantage.

To see the long-term potential of APIs in retailing, I think we can take a look at industries such as online gambling. The gambling industry is a tremendously aggressive consumer of APIs. In locations where it’s legal, large bookmaking organizations compete to quickly introduce opportunities for people to bet on everything from sports to political races or the national budget. Online betting companies develop games or set up innovative new betting scenarios to captivate retail customers and APIs allow them to retail new services out very quickly, to keep customers engaged.

For multi-channel retailers, it’s only natural to want to give customers immersive shopping experiences across not only brick-and-mortar storefronts but also Web, mobile and social media channels. These online experiences are increasingly location-specific and contextualized to each shopper’s identity and buying history. APIs provide the means for ensuring consistent shopping experiences across multiple retail channels.

Retailers are increasingly seeking to engage buyers everywhere they might be, whether online or in-store. They are looking for ways to deliver immersive commerce experiences — including consistent content, promotions and rewards —  across multiple channels. Retailers want to tailor these experiences to buyers’ enhanced identity information. Achieving all this requires the ability to:

  • Expose content, commerce, loyalty and promotion functions as APIs
  • Integrate APIs from third-party affiliates, mobile apps, social networks, geolocation services, customer data sources and ad networks
  • Resolve and reconcile a buyer’s identity across online channels
  • Simplify mobile notifications.

Having the toolset to manage APIs is essential. The CA Layer 7 API Management Suite provides all the API creation, integration and orchestration features necessary to meet context-aware, multi-channel retail merchandising objectives. By adopting proven policies and procedures for ensuring secure APIs, retailers can aggressively scale their online merchandising initiatives and potentially reach more customers with innovative offers of products and services.

May 21st, 2014

The Increasing Impact of APIs on the Digital Marketplace

Written by
 

The Increasing Impact of APIs on the Digital MarketplaceFor years, organizations connected distributed applications using increasingly complex protocols. But as the principles of the World Wide Web rapidly penetrated the business world, IT organizations began to realize that many of the concepts, infrastructures and protocols that enable the infinite scalability of the Web could be applied to enterprise application development. Enter the application programming interface (API).

Business needs are driving enterprises to open their data and applications more to partners, developers, mobile apps and cloud services. APIs provide a standardized way to open up information assets across the Web, mobile devices and the cloud. However, to make API information sharing safe, reliable and cost-effective, enterprises must deal with critical security, performance management and data adaptation challenges.

The API can be used as a lingua franca of modern computing, allowing the enterprise to selectively open up applications in order to create value. It is not a coincidence that the API movement has grown in importance as a new generation of coders has come of age – a generation that values simplicity and getting the job done.

The complexities valued by the previous generation of developers are giving way to developers more focused on lowering the barriers to entry and on improving the accessibility of information while ensuring the security of critical enterprise resources. APIs allow developers to greatly simplify integration.

APIs open up new opportunities for executives to evaluate business information resources in order to build value for the enterprise by creating services that others can consume. For example, the New York City Subway System opened up APIs so that developers could build apps exposing train status information. The Metro Transit Authority (MTA) recognized that its core business was transportation, not app development, so it didn’t try to build smartphone apps but instead exposed its core information systems through APIs that allow developers to create apps which provide consumers with updated transit information.

The MTA is leveraging information in existing systems in order to allow developers to build apps that create more informed consumers, who are presumably becoming more reliant on public transportation. This strategy is allowing the New York MTA to provide better transportation through APIs and cities like Washington DC are similarly opening up their APIs to make transportation easier for their citizens. By understanding consumer needs for better and timelier transportation information and filling those needs by opening up APIs to the development community, transportation providers are building more loyal customers.

Understanding the opportunities to capitalize on APIs is crucial and many companies are turning to their marketing departments for direction on API strategies. To their credit, marketing professionals are often forward-looking and trend-driven and many have been monitoring API advances and seeing the business opportunities potentially enabled by API adoption. They are well positioned to evaluate available data within business applications in order to determine what information the organization should make available in a safe and secure manner to create value for the enterprise.

Once the APIs are developed, the ability to promote available APIs among the development community is essential for gaining acceptance and adoption. Organizations need the ability to market their APIs to create interest within the development community. To obtain maximum value from APIs, enterprises need ways to attract, onboard and manage developers.

The CA Layer 7 API Management Suite provides enterprises with a comprehensive set of solutions that externalize APIs in a secure, reliable and manageable way. It includes the CA Layer 7 API Portal, which allows the enterprise to deploy the infrastructure to monetize APIs, advertise them and create communities around them. This allows organizations to capitalize on the increasing impact APIs are having on the digital marketplace and to build and manage secure APIs that create increased value for the enterprise.

April 10th, 2014

Upcoming Talks at MobileWeek 2014 in NYC

Written by
 

MobileWeek 2014I will be attending MobileWeek 2014 in New York City next Monday, April 13. I’ll be at the conference all day, so drop by and say hello. Part way through the day, I’ll  deliver a two-minute lightning talk on mobile authentication, followed by a panel on enterprise mobile security and scalability.

The lightning talk is at 12:25 pm:

How to Make Mobile Authentication Dead Easy
Are your developers struggling to integrate mobile apps and enterprise data? They shouldn’t be! In just two minutes, learn the easiest way to get end-to-end security between your mobile apps and the enterprise — all without using a VPN.

It must be easy if I can cover it in only two minutes!

The panel, scheduled to start at 1:10pm (an odd time, so keep an eye on the clock), will include participants from Hightail and will be moderated by Geoff Domoracki, who is one of the conference founders:

The Mobile Enterprise: Productivity, Security & Scalability
We hear terms like “mobile enterprise” and “mobile workforce” but how far are we towards creating an enterprise work environment that enables real-time communication beyond geographic boundaries — freeing the employee to work from his phone anywhere in the world? This panel will explore the opportunities and challenges around the emergence of a “mobile enterprise” where sitting at a desk in the office is becoming more and more outdated. How do you share documents, secure data, prove identity and geo-collaborate in the new mobile enterprise?

Overall it looks to be a good day. New York is a hotbed of mobile development and I’m looking forward to meeting lots of interesting people.

See you at MobileWeek!

February 26th, 2014

What We Should Learn from the Apple SSL Bug

Written by
 

What We Should Learn from the Apple SSL BugTwo years ago, a paper appeared with the provocative title “The Most Dangerous Code in the World.” Its subject? SSL, the foundation for secure e-commerce. The world’s most dangerous software, it turns out, is a technology we all use on a more-or-less daily basis.

The problem the paper described wasn’t an issue with the SSL protocol, which is a solid and mature technology but with the client libraries developers use to start a session. SSL is easy to use but you must be careful to set it up properly. The authors found that many developers aren’t so careful, leaving the protocol open to exploit. Most of these mistakes are elementary, such as not fully validating server certificates and trust chains.

Another dramatic example of the pitfalls of SSL emerged this last weekend as Apple issued a warning about an issue discovered in its own SSL libraries on iOS. The problem seems to come from a spurious goto fail statement that crept into the source code, likely the result of a bad copy/paste. Ironically, fail is exactly what this extra code did. Clients using the library failed to completely validate server certificates, leaving them vulnerable to exploit.

The problem should have been caught in QA; obviously, it wasn’t. The lesson to take away from here is not that Apple is bad — it responded quickly and efficiently the way it should — but that even the best of the best sometimes make mistakes. Security is just hard.

So, if security is too hard and people will always make mistakes, how should we protect ourselves? The answer is to simplify. Complexity is the enemy of good security because complexity masks problems. We need to build our security architectures on basic principles that promote peer-reviewed validation of configuration as well as continuous audit of operation.

Despite this very public failure, it is safe to rely on SSL as a security solution but only if you configure it correctly. SSL is a mature technology and it is unusual for problems to appear in libraries. But this weekend’s events do highlight the uncomfortable line of trust we necessarily draw with third-party code. Obviously, we need to invest our trust carefully. But we also must recognize that bugs happen and the real test is about how effectively we respond when exploits appear and patches become available. Simple architectures work to our favor when the zero-day clock starts ticking.

On Monday at the RSA Conference, CA Technologies announced the general availability of the new Layer 7 SDK for securing mobile transactions. We designed this SDK with one goal: to make API security simpler for mobile developers. We do this by automating the process of authentication and setting up secure connections with API servers. If developers are freed up from tedious security programming, they are less likely to do something wrong — however simple the configuration may appear. In this way, developers can focus on building great apps, instead of worrying about security minutia.

In addition to offering secure authentication and communications, the SDK also provides secure Single Sign-On (SSO) across mobile apps. Use the term “SSO” and most people instinctively picture one browser authenticating across many Web servers. This common use case defined the term. But SSO can also be applied to the client apps on a mobile device. Apps are very independent in iOS and Android, and sharing information between them, such as in an authentication context, is challenging. Our SDK does this automatically and securely, providing a VPN-like experience for apps without the very negative user experience of mobile VPNs.

Let me assure you that this is not yet another opaque, proprietary security solution. Peel back the layers of this onion and you will find a standards-based OAuth and OpenID Connect implementation. We built this solution on top of the Layer 7 Gateway’s underlying PKI system and we leveraged this to provide increased levels of trust.

If you see me in the halls of the RSA Conference, don’t hesitate to stop me and ask for a demo. Or drop by the CA Technologies booth where we can show you this exciting new technology in action.

February 21st, 2014

RSA Conference 2014 Preview & a Special CA Layer 7 Event

RSA Conference 2014Despite all our advances in communications — from social networking, to blogs, to actually functional video meetings — the trade conference is still a necessity. Maybe not as much for the content, which makes the rounds pretty fast regardless of whether you attend the show or not, but for the serendipitous meetings and social networking (in the pre-Facebook/Twitter sense).

I find something comforting in the rhythm and structure a handful of annual conferences bring to my life. The best ones stay rooted in one location, occurring at the same time, year after year. They are as much defined by time and place as topic.

If it’s February, it must be San Francisco and the RSA conference. I’ve attended for years and despite the draw from the simultaneous Mobile World Congress in Barcelona, RSA is a show I won’t skip. But I do wish MWC would bump itself a week in either direction so I could do both.

As everyone knows, this year the press made much ado of a few high-profile boycotts of the conference and the two alt-cons, Security B-Sides and TrustyCon, that sprung up in response. But I think it’s important to separate RSA the company from RSA the conference. The latter remains the most important security event of the year.

Every year, one theme rises above the rest. I’m not referring to the “official” theme but the trends that appear spontaneously in the valley. The theme this year should be security analytics. The venture community has put this idea on an aggressive regime of funding injections. We should expect an entertaining gallery of results, both good and bad. But either way, we will learn something and it would be a poor move to bet against this sector’s future.

I’m also expecting 2014 to bring some real SDN traction. Traditional security infrastructure is low-hanging fruit vendors too often miss. RSA is where SDNs for security will finally get a long-awaited debut.

MWC may be the premier event for mobile but most mobile security companies cover both conferences and CA is no exception. At RSA, we’ll be unveiling the new version of our Mobile Access Gateway. This features SDKs for iOS, Android and JavaScript that make enterprise authentication simple for mobile developers.  As a bonus, these SDKs offer cross-app SSO. This means users sign on just once, from any authorized app. You should definitely come by the CA Technologies booth at either show to have a look. And if you do see me at the RSA show, be sure to ask me about the integrated PKI — surely one of the coolest, unsung features underneath the SDK hood.

CA and Layer 7 will also be hosting an afternoon event on Monday Feb 24 at the nearby Marriott Marquis and you are invited. You may recall we’ve held a few of these before but this year, we have a very special guest. The event will feature Forrester analyst Eve Maler, who will talk about zero trust and APIs. It will be a great way to kick off RSA 2014 and we’ll even give you a nice lunch. Who could refuse that?

To join us, sign up here.