I recently wrote an article for Wired, which discussed the importance of thinking about security at every stage of your application lifecycle. This is especially important as we enter the new era of open enterprise IT. The explosive growth of mobile computing has shifted the enterprise perimeter and traditional access control mechanisms are no longer sufficient. This is even more relevant when thinking about the Internet of Things (IoT) and its rapidly evolving ecosystem.
George Reese of Dell recently published an article that discusses the Tesla Model S REST API. This API enables some remote control features on the car and is primarily used by Tesla’s available smartphone apps. Great stuff, showing how mobile meets IOT meets API. The problem is that the focus of the article is all on its potential security vulnerabilities. Where the Tesla developers should be lauded for driving this type of innovation, they are instead scolded for addressing security poorly.
I think this is a great example of where thinking about security all through the lifecycle would have saved the developers some embarrassment. Here are some things for them to think about with the next app or API:
- Are there other clients besides smartphone apps that I want to access my API?
- Are there other clients besides smartphone apps that I don’t want to access my API?
- Are there proven standards or protocols I can use to provide access control?
- Are there proven tools out there that can help me deliver the solution more quickly?
- Is there a way for me to revoke a client’s access after it has been granted?
The Tesla team chose to take an unproven path with their authentication solution. “Security by obscurity” used to be a popular approach but it doesn’t cut it in the open enterprise. In open computing, open and popular protocols like OAuth are the most secure mechanisms to use. That may seem counter-intuitive but these protocols provide the richest set of implementation tools and breadth of use cases. This allows app developers to focus on their areas of expertise – like automotive innovation – and rely on the security experts for protection.
At Layer 7, our products and services help companies build the foundation for the open enterprise. Our new Mobile Access Gateway release provides a variety of security capabilities, including smartphone access control and token revocation. Our API Academy helps clients design sustainable APIs that address all aspects of the API lifecycle, including the most practical and comprehensive security protections.