API Security: How to keep your back-end secure

Security is part of the developer experience. When I interviewed software testing firm CEO Diwaker Menon, he said something pretty profound: “Security is an essential part of the user experience.” At the time, we were talking about the Internet of Things, but his theme follows to everything. You could even extend it in a Hobbesian way to say that security is an essential part of the human experience. And, since developers are people too, API security is not just a nice-to-have—your company and your clients depend on it, so you better do your best to guarantee it.

API security for good DX. If the application programming interface is the digital glue connecting us via smartphones and the Internet of Things, then API security is what’s making sure that our connected world is not just going to fall apart. But as the world’s criminals get craftier, your business processes exposed via APIs are at greater risk than ever. API security and data protection compliance are necessary to protect against these threats, hacks and data leakage.

Three-tiered API security. The key to API security is that it is included in every layer of your API management from when you’re developing your APIs to deploying them to using them and offering access control for others to use them too. API security must be a priority at the:

1. interface level
2. access level
3. data level

The API gateway acts as your security filter for these layers.

API identity management is critical. You want to make sure that you use an API developer portal to facilitate easy access to your API, while just as easily automating how you secure it. Once you control who accesses what data in what way, you’ve won at least half the API security battle. You need to make sure that you authenticate the identity of each user every time, while making sure to control who is authorized to have what delegated access level.

Organization-wide access controls. As your business grows, you will also need different administrative levels across organizations to decide not only who can access what, but who is in charge of deciding that. Use an API management solution to help you limit how different users access what, so that you are only giving anyone access to what’s absolutely necessary to do what they have to do. Any API management tool worth its salt will easily facilitate cross-organizational collaboration, as well as with external partnerships.

Try mutual certificate authentication. You want to be secure, but so does your API consumer or your strategic business partner. The securist backend services include mutual authentication which enables both parties to authenticate each other at the same time.

Clear communication is part of security. Part of identity management is also making sure that your API consumers, the developers attempting to access your API, understand what permissions they have or don’t. Consistency is another important part of developer experience, like:

• Use a 401 error code to communicate that someone’s access isn’t authenticated
• Use a 403 error code to communicate that someone’s access isn’t permitted

Beware of the password. When it comes down to it, still to this day, the biggest security threat to our connected lives is still password stupidity. Try implementing API keys in lieu of a password, which leave a breadcrumb trail of accountability without slowing access. Keep these identifiers long and random (don’t do 1234 or users’ names) and use API keys to authenticate each and every request.

Automate API security. A good API management tool also will allow you to monitor the health of your API, quickly identifying errors and alerting you to security threats. Plus, it will scale and contract along with your business, handling any size load to make sure you’re secure at any level of traffic or users.

How do you enhance your own API security? Teach me below!