February 19th, 2014

New eBook: 5 Simple Strategies for Securing Your APIs

5 Simple Strategies for Securing APIsRecently, I wrote about the excitement I feel working within CA. This company is full of talented people and when you draw on their capabilities, amazing stuff happens. Here in R&D, we have some innovative solutions underway that are tangible results of CA and Layer 7 working well together. I can’t reveal these yet but you can see the same 1+1=3 equation at work in other groups throughout the organization.

Here is a good example: It’s an eBook we’ve assembled to help managers and developers build more secure APIs. The material started with a presentation I first delivered at a recent RSA show. We updated this with best practices developed by real customers facing real challenges. The content is solid but what I love is the final product. It’s accessible, easy to digest and the layout is fantastic. Half the battle is delivering the message so that it’s clear, approachable and actionable. This is just what we delivered. And best of all, it’s free.

The last year has been a difficult one in security. The Snowden affair made people talk about security; this, at least, is good and the dialog continues today. But if 2013 was a year of difficult revelation, 2014 is going to be about back-to-basics security.

APIs offer tremendous business value to enterprise computing. But they also represent a potential threat. You can manage this risk with a solid foundation and good basic practices but you need to know where to start. This is the theme of our new eBook. It offers simple guidelines, not tied to any particular technology. You should apply these whenever you deploy APIs.

I hope you find this eBook useful. As always, I’d love to hear your feedback.

Download the eBook: 5 Simple Strategies for Securing Your APIs

September 5th, 2013

5 Pillars of API Management

Written by
 

5 Pillars of API ManagementLayer 7’s series of free eBooks continued recently with our take on the 5 Pillars of API Management. This eBook – which has been getting some great feedback – covers the what, why and how of core API Management concepts like API exposure, security, access control, lifecycle management and developer engagement. Our goal is to provide a high-level overview of each category with some key takeaways; deeper information is available from a link in each section.

These resources have been distilled down from years of work in the field with customers seeking to securely expose data and applications to partners, cloud services or mobile devices. The process begins with API exposure but very few of our customers are starting from scratch – they have existing data residing in SOAP services or trapped in legacy systems. We discuss the reasons behind – and methods for – converting these services to RESTful API interfaces. We get into the various types of API threats and why security – including flexible content inspection and filtering – is of the utmost importance. And we cover bridging modern access control models like OAuth to existing enterprise IAM and SSO frameworks.

Managing the performance, lifecycle and adoption of APIs is just as important to API Management as secure exposure is. An API without developers is a tree in the forest with nobody to hear it fall – it may make a noise but who cares? And it’s impossible to engage developers without a highly-available, optimized, user-friendly, well-managed API. This includes both the technical interface and the methods for service discovery, testing, documentation and community building. We delve into the must-haves when it comes to availability, engagement and education.

Read the eBook: 5 Pillars of API Management

Our API Academy is out in the field, discussing many of these same topics at API Workshops near you. I’ll be in San Antonio and Los Angeles next week, talking about the business of APIs before Mike Amundsen gets into his fantastic content around API design, developer experience, DevOps and related challenges. Hope to see you there!

March 6th, 2013

New Layer 7 eBook: 5 Ways Every Telco Can Benefit from APIs

Telco eBookThe recent Mobile World Congress event in Barcelona reminded us about the growing importance of APIs to the telecommunications sector. Telco was actually one of the first sectors to show an interest in APIs but most carriers have still not taken full advantage of the opportunities presented by APIs and some have got their fingers burned trying to court the long tail of third-party app developers.

Still, with Web and mobile technologies creating competition from outside the telco sector, carriers need ways to quickly adapt to technological change – and APIs provide the perfect solution. APIs allow telcos to open up their services for efficient repurposing by internal developers and partner organizations, creating opportunities for being quick to market with innovative new offerings.

Layer 7’s latest eBook 5 Ways Every Telco Can Benefit from APIs provides an overview of how carriers can realize these opportunities. If you visited the Layer 7 booth at MWC, you might have picked up the print version of this handsome document. If not, don’t hesitate to download the electronic version.

February 8th, 2013

Enabling OAuth Token Distributors

 

OAuth eBookAre you a token distributor? If you provide an API, you probably are.

One thing I like about tokens is that, when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the attacker could also get access tokens to act on your behalf.

In his post The Dilemma of the OAuth Token Collector and in this twitter conversation, Nishant Kaushik and friends comment on the recent Twitter hack and discuss the pros and cons of instantly revoking all access tokens when a password is compromised.

I hear the word of caution around automatically revoking all tokens at the first sign of a credential being compromised but in a mobile world where user experience (UX) is sacred and where each tapping of a password can be a painful process, partial token revocation shouldn’t be automatically ruled out.

Although, as Nishant suggests, “it is usually hard to pinpoint the exact time at which an account got compromised”, you may know that it happened within a range and use the worst case scenario. I’m not saying that was necessarily the right thing to do in reaction to Twitter’s latest incident but only revoking tokens that were issued after the earliest time the hack could have taken place is a valid approach that needs to be considered. The possibility of doing this allows the API provider to mitigate the UX impact and helps avoid service interruptions (yes, I know UX would be best served by preventing credentials being compromised in the first place).

Of course, acting at that level requires token governance. The ability to revoke tokens is essential to the API proviver. Any token management solution being developed today should pay great attention to it. Providing a GUI to enable token revocation is a start but a token management solution should expose an API through which tokens can be revoked too. This lets existing portals and ops tooling programmatically act on token revocation. Tokens need to be easily revoked per user, per application, per creation date, per scope etc. and per combination of any of these.

Are you a token distributor? You should think hard about token governance. You also think hard about scaling, security, integration to exiting identity assets and interop, among other things. We cover these issues and more in our new eBook : 5 OAuth Essentials for API Access Control.

December 18th, 2012

New Mobile eBooks

Layer 7 eBooksAs a Partner Architect at Layer 7, I’m lucky enough to get to interact with some of the best and brightest in the industry. These include software vendors, systems integrators, analysts and thought leaders. When you add in our own experts, we have access to a veritable “who’s who” of the API world.

Recently, we began a series of free eBooks that will distill our communal knowledge into specific, targeted recommendations for dealing with a variety of challenges around APIs – from interface design, to security, to developer engagement. Today, I’m pleased to announce the first two of these, which deal with API exposure for internal mobility projects and for externally-facing open APIs.

First, we have Enterprise on the Go: 5 Essentials for BYOD & Mobile Enablement. This eBook focuses on the challenge of securely exposing internal applications and information assets to mobile employees, either on their own devices (BYOD) or as part of a larger mobility initiative. These five key points for a successful deployment are presented in an easy-to-consume synopsis and then backed up by white papers, webinars and customer case studies. Of particular interest to our enterprise customers are the sections on repurposing existing services and using middleware to optimize for mobile use cases.

Next, we have 5 Ways to Get Top Mobile App Developer Talent for your Open APIs. While not all enterprises have chosen to expose their APIs externally, those that have are faced with the challenge of acquiring a talented community of developers that will build useful mobile apps for the consumer marketplace. However, enterprises can’t simply assume “build it and they will come.” Getting devs onboard requires investment in documentation, branding and community development. This eBook discusses some of the best methods for onboarding and rewarding those developers who provide the most value.

Whether focused on internal or external developers, these eBooks are valuable resources for anyone looking to expose APIs for mobile access to enterprise assets. We welcome your feedback on this format and look forward to continuing the series.