By Mark O'Neill | Article Rating: |
|
January 7, 2015 02:00 PM EST | Reads: |
4,387 |

Back in 2011, while CTO at Vordel (API security/management vendor which was acquired by Axway in 2012), I wrote a piece for the Cloud Security Alliance blog entitled "Protect the API Keys to your Cloud Kingdom". In it, I talked about the importance of protecting API Keys. I wrote that:
API Keys must be protected just like passwords and private keys are protected. This means that they should not be stored as files on the file system, or baked into non-obfuscated applications that can be analyzed relatively easily.
https://blog.cloudsecurityalliance.org/2011/04/18/protect-the-api-keys-to-your-cloud-kingdom/
Fast forward to 2015, and API Key security is more important than ever. This week, Janet Wagner wrote in ProgrammableWeb about how API Keys can leak from sources such as insecure build pipelines. API Keys are now starting to be recognized as just as important as passwords or private keys. However, much of the damage has been done, due to the proliferation of apps which make insecure usage of API Keys, and the insecure storage of API Keys on the server side.
What can be done to help the API Key security situation? Here are some remedies:
Put an API Management strategy in place
Of course, I work for an API security/management vendor (Axway), so you might think "he would say that". But, having an API Management strategy in place means that API Keys are protected at Runtime by an API Gateway, and issued at Design Time by an API Portal. What all of the recent API Key vulnerability victims have in common is a lack of an API Gateway in place, or an API Management strategy. An API Management strategy allows administrators to manage how API Keys are issued, typing them to the lifecycle of the API. In the screenshot below, we can see how an API Key can be issued for an app (in this case, the sample API Days voting app used at our API Security workshops at the API Days conference):
Remember to secure outbound API Keys
In her ProgrammableWeb piece, Janet Wagner makes the great point that "Amazon Web Services is a Primary Target for Hackers", and therefore "Secure your AWS Credentials". Losing track of API Keys for services such as Amazon can be costly, since attackers can use them to run up a huge bill for services. It's often not realized that an API Gateway can be used in an outbound direction to manage client credentials for services such as Amazon. In the screenshot below, we see Amazon AWS credentials being managed at the Axway API Gateway. This means that the API Keys are not sitting on a hard drive, or baked into an application, but instead are managed under the umbrella of an API security gateway:
Don't simply send an API Key in the querystring
It is amazing how many APIs are designed such that the API Key is sent in the querystring, effectively being a "username without a password". If an attacker gets a hold of a valid request, it is trivial to replay the request. This is why API providers such as Amazon provide two keys. One is used for identification, and the other is used for signing. Here at Axway, we provide API providers with an array of API Security options, as shown below:
-
- Centralized API publication with an API Catalog
- Attract and encourage developers to subscribe to APIs
- Present API samples, parameter information and automated documentation
- Secure, self-service functions for API developers, so they can:
- View details of APIs they’re entitled to
- Test an API directly from the Portal
- Browse the API Catalog
- Learn API usage through interactive Swagger documentation
- Review API security policies and generate API access keys (e.g. OAuth)
- View API quota details
- Management of multiple developer communities, enabling an organization to:
- Define varied developer groups and grant different levels of API access to each community
- On-board large groups of developers easily and quickly
- Manage API clients by defining who, what and how much developers may consume
- Set security profiles for APIs (OAuth, API key, and more)
- Visibility, measurement, audit control, and analytics
- Track how data flows and review each step in real-time
- Audit and debug API traffic as needed
- Centralized API publication with an API Catalog
(source: http://www.axway.com/products-solutions/api-management/api-portal)
Published January 7, 2015 Reads 4,387
Copyright © 2015 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Mark O'Neill
Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.
- Jill Tummler Singer of the CIA Speaks on "Cloud Safety" : +1
- Securing Web Services
- We Know Web Services Need Security, But What Type?
- Cloud Computing in Practice
- Connecting to the Cloud in Chinese: 连接到云
- Maureen O'Gara at Cloud Computing Journal on the Vordel Cloud Service Broker
- Google Says "Cloud Computing Is" ...
- XML Without Wires - Part 1 of 2
- Vordel Connects SOA to the Cloud
- Connecting to the Cloud in Japanese - クラウドに接続する