API Security

TradeIt: API-First Online Trading with Apigee

Editor's note: Today we hear from Joel Hancock, head of product at TradeIt. TradeIt is dedicated to helping people stay in control and connected to their investments by building the underlying API infrastructure to link app developers with financial institutions. 

TradeIt is the leading API for online investing. We connect retail brokers to the TradeIt ecosystem and distribute our API to app developers who use it to enable their users to view portfolios and trade directly from brokerage accounts.

Most of the large retail brokers are integrated into our ecosystem. We've also just distributed our API into one of the largest financial media applications and we’re working closely with several others. We’re excited to be collaborating as well with Google for future integration with Google Assistant.

When we were getting ready to start building an API ecosystem for investing, we had to start thinking early about our API gateway, session management, our API interface, and the developer portal. Initially we started building every one of those on our own, which was a huge undertaking.

As we faced the challenges of scaling and growth, we realized that we should look at what was available on the market–that the smart move would be to leverage a best-in-class API solution instead of building everything in-house. We looked at a few solutions and found Apigee the best for several reasons. We especially appreciated Apigee technology partnerships and the overall functionality of the API developer portal.

At this point, we use Apigee internally in a proof of concept. We plan to go live in Q4 of this year. For us, as an API-first company, Apigee is more of an infrastructure adjustment than a real change in how we do business. We expect the changeover to be transparent to our users. Rather than relying on the switch to Apigee to focus on pushing more product-based features, we see the value because it's just more sustainable in the long term. We couldn’t possibly build, manage, and maintain the kind of feature set, security, stability, scalability, or innovations that the Apigee API management platform gives us.

We built the platform before implementing Apigee. I believe that if we had known that Apigee was out there, we would have started with it from the beginning, saving a lot of time and development costs in the process. Right now, we’re at the point in our migration where we’re seeing that Apigee does a great job at providing us analytics on our API usage, and we can already leverage the developer portal.

I think the main challenge for our team of 10 developers was figuring out how to integrate Apigee to match our business project. The Apigee platform was very helpful when it came to building our own API interface and what we expose to our developers.

We still have a lot of business logic that's very specific to the brokerage field that has to be integrated in the best possible way with Apigee, but we’ve been encouraged so far. Our model is a single API made from aggregating many different trading APIs, and people use us to streamline connecting with popular retail brokers. We’re working on building the logic to map between our APIs and the brokers’ APIs so that we can complete our migration to Apigee.

We’re excited about seeing significant ROI from Apigee soon!

 

Riding the Wave of Digital Disruption

5 tips to help legacy businesses operate like startups

Startups often face significant challenges. At a bare minimum, they need to define their value proposition, build a service, get funding, define a business model, drive sales, and recruit talent—all with a severely constrained staff. Many startups fail because of their inability to address any number of those challenges.

Despite these hurdles, many startups have a leg up over long-established competitors. Read the rest of this article on ProgrammableWeb to learn about five key enablers to help large enterprises overcome disadvantages they might face when compared to nimble digital natives. 

Best Practices for Building Secure APIs

Editor's note: API security remains a critical issue for our readers. For evidence, look no further than this article, the all-time most popular post on Apigee's "APIs and Digital Transformation" Medium publication. With that in mind, we reprise it here.

API (application programming interface) designers and developers generally understand the importance of adhering to design principles while implementing an interface. No one wants to design or implement a bad API!

Even so, it’s sometimes tempting to look for shortcuts to reach those aggressive sprint timelines, get to the finish line, and deploy an API. These shortcuts may pose a serious risk — unsecured APIs.

Developers should remember to wear the hat of an API hacker before deploying. If a developer neglects to identify the vulnerabilities in an API, the API could become an open gateway for malicious activity.

An API can work for or against its provider depending on how well the provider has understood and implemented its API users’ requirements. If a company builds an incredibly secure API, it might end up very hard to use. A fine balance needs to be struck between the purpose of an API and ease of consumption. In this article, we’ll explore some of the API vulnerabilities we’ve come across through our work as part of Google’s Apigee team, including how these vulnerabilities might have been prevented.

To continue reading, visit our Medium page

Apigee blog home page image: Simon Cocks/Flickr Creative Commons

Best Practices for Building Secure APIs

API designers and developers generally understand the importance of adhering to design principles while implementing an interface. No one wants to design or implement a bad API!

Even so, it’s sometimes tempting to look for shortcuts to reach those aggressive sprint timelines, get to the finish line, and deploy an API. These shortcuts may pose a serious risk — unsecured APIs.

Developers should remember to wear the hat of an API hacker before deploying. If a developer neglects to identify the vulnerabilities in an API, the API could become an open gateway for malicious activity.

Identifying and solving API vulnerabilities

An API can work for or against its provider depending on how well the provider has understood and implemented its API users’ requirements. If a company builds an incredibly secure API, it might end up very hard to use. A fine balance needs to be struck between the purpose of an API and ease of consumption. In this post, we’ll explore some of the API vulnerabilities we’ve come across through our work as part of Google’s Apigee team, including how these vulnerabilities might have been prevented.

Injections

APIs are the gateways for enterprises to digitally connect with the world. Unfortunately, there are malicious users who aim to gain access to enterprises’ backend systems by injecting unintended commands or expressions to drop, delete, update, and even create arbitrary data available to APIs.

In October 2014, for example, Drupal announced a SQL injection vulnerability that granted attackers access to databases, code, and file directories. The attack was so severe that attackers may have copied all data out of clients’ sites. There are many types of injection threats, but the most common are SQL Injection, RegEx Injection, and XML Injection. More than once, we have seen APIs go live without threat protection — it’s not uncommon.

APIs without authentication

An API built without protection from malicious threats through authentication represents an API design failure that can threaten an organization’s databases. Ignoring proper authentication — even if transport layer encryption (TLS) is used — can cause problems. With a valid mobile number in an API request, for instance, any person could get personal email addresses and device identification data. Industry-standard strong authentication and authorization mechanisms like OAuth/OpenID Connect, in conjunction with TLS, are therefore critical.

Sensitive data in the open

Normally, operations teams and other internal teams have access to trace tools for debugging issues, which may provide a clear view of API payload information. Ideally, PCI cardholder data (CHD) and Personal Health data (PHI) is encrypted from the point where data is captured all the way to where data is consumed, though this is not always the case.

With growing concerns about API security , encryption of sensitive and confidential data needs to be a top priority. For example, in June 2016, an http proxy vulnerability was disclosed that provided multiple ways for attackers to proxy the outgoing request to a server of choice, capture sensitive information from the request, and gain intelligence about internal data. Beyond using TLS, it’s important for API traffic to be protected by encrypting sensitive data, implementing data masking for trace/logging, and using tokenization for card information.

Replay attacks

A major potential concern for enterprise architects is the so-called “transaction replay.” APIs that are open to the public face the challenge of figuring out whether to trust incoming requests. In many cases, even if an untrusted request is made and denied, the API may politely allow the — potentially malicious — user to try and try again.

Attackers leverage this misplaced trust by attempting to playback or replay a legitimate user request (in some cases using brute force techniques) until they are successful. In 2016, hackers got into Github accounts via a playback attack by reusing email addresses and passwords from other online services that had been compromised and trying them on Github accounts.

Countermeasures include rate-limiting policies to throttle requests, the use of sophisticated tools like Apigee Sense to analyze API request traffic, and identification of patterns that represent unwanted bot requests. Additional security measures to stymie replay attacks include:

  • HMAC, which incorporates timestamps to limit the validity of the transaction to a defined time period
  • two-factor authentication
  • enabling a short-lived access token by using OAuth

Unexpected surges in API usage

It’s always tricky to estimate the usage of an API. A good example is the app that briefly brought down the National Weather Service API. This particular API didn’t have any kind of traffic surge prevention or throttling mechanism, so the unexpected surge in traffic directly hit the backend.

A good practice is to enforce an arrest in spike traffic or a per-app usage quota, so that the backend won’t be impacted. This can be easily rolled out with the help of a sophisticated API management platform with policies like quota and spike arrest.

Keys in URI

For some use cases, implementing API keys for authentication and authorization is good enough. However, sending the key as part of the Uniform Resource Identifier (URI) can lead to the key being compromised. As explained in IETF RFC 6819, because URI details can appear in browser or system logs, another user might be able to view the URIs from the browser history, which makes API keys, passwords, and sensitive date in API URIs easily accessible.

It’s safer to send API keys is in the message authorization header, which is not logged by network elements. As a rule of thumb, the use of the HTTP POST method with payload carrying sensitive information is recommended.

Stack trace

Many API developers become comfortable using 200 for all success requests, 404 for all failures, 500 for some internal server errors, and, in some extreme cases, 200 with a failure message in the body, on top of a detailed stack trace. A stack trace can potentially become an information leak to a malicious user when it reveals underlying design or architecture implementations in the form of package names, class names, framework names, versions, server names, and SQL queries.

Attackers can exploit this information by submitting crafted URL requests, as explained in this Cisco example. It’s a good practice to return a “balanced” error object, with the right HTTP status code, with minimum required error message(s) and “no stack trace” during error conditions. This will improve error handling and protect API implementation details from an attacker. The API gateway can be used to transform backend error messages into standardized messages so that all error messages look similar; this also eliminates exposing the backend code structure.

Keep APIs safe

As we have reviewed in this article, many potential threats can be avoided by putting some thought into API design and establishing governance policies that can be applied across the enterprise. It is important to guard APIs against malicious message content by accessing and masking sensitive encrypted data at runtime and protecting backend services against direct access. An API security mistake can have significant consequences — but with the right forethought and management, businesses can make themselves much safer.

This post originally appeared in Medium.

GDPR: Are You Ready?

On May 25, 2018, one of the most  significant pieces of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR aims to strengthen individuals’ rights regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed.

Apigee, which is part of Google Cloud, is committed to GDPR compliance across our API management services. We are also committed to helping our customers with their GDPR compliance journey by providing them with the privacy and security protections we have built into our services over the years.

Apigee Edge customers will typically act as the data controller for any personal data they provide in connection with their use of Apigee Edge. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

Our terms of service articulate our commitments to customers, and we are updating them to address GDPR changes and making those updates available to customers in the coming weeks.  

If you’re a data controller, you can familiarize yourself with and find guidance related to your responsibilities under the GDPR by regularly checking the website of your national or lead data protection authority (as applicable). You should also seek independent legal advice relating to your status and obligations under the GDPR. Bear in mind that nothing in this article is intended to provide you with, or should be used as a substitute for, legal advice.

 

Apigee Up Close: Protecting APIs with OWASP Best Practices

Webcast replay

Apigee Up Close is a webcast series featuring the Apigee Edge platform and live demos on select topics that users have been asking about.

Do you know how to protect your APIs from malformed client payloads? Do you have a solid grasp of how your application layer is exposing the underlying database?

In this webcast replay, you’ll learn how Apigee Edge can be configured to protect your APIs and backend resources from common OWASP security vulnerabilities and other threats.

We’ll look at an example that uses injection flaw and input validation protections to mitigate the risk of a malicious attacker compromising your API and backend resources.

When we’re done, you'll have a clearer picture of how to:

  • Create an API that protects against injection flaws and input validation from malicious clients
  • Keep it as simple as possible to make adoption easy
  • Report on usage

Register now for the next webcast in this series. It will help you build an API using composite resources.

Autodesk: Enabling New Revenue with the Apigee Platform

New case study

Autodesk makes software for people who build things. Founded in 1982, the company has been synonymous with industry-leading 3D design software for desktops, and it has used APIs for decades. But as the world moved to mobile devices and cloud, the need to transform from desktop technology to cloud offerings took center stage.

That’s why Autodesk has committed itself to digital reinvention, not only moving its award-winning software to the cloud but also investing in APIs to enable new, data-driven revenue streams.

Creating an ecosystem became a key part of achieving this goal.

“We are trying to drive a movement to the cloud in the industries we serve,” said Shawn Gilmour, Autodesk’s director of PaaS strategy. “To really be successful, we need to build an ecosystem. We really need partners and data sharing and integrations to do this—and that’s where APIs come in.”

Internally, leveraging modern APIs and the Apigee API platform enabled Autodesk to empower its development teams to easily and securely leverage the company's long-term software applications and resources for new applications and create customized and connected workflows. But it also opened doors to untapped markets, beyond Autodesk's bread-and-butter customer base of professional designers.

Read this new case study to learn how the Apigee platform helped Autodesk attract new customers and provided new levels of flexibility and scalability to the company's development efforts.

How Moving Apigee Sense to GCP Reduced Our “Data Litter”

In the year-plus since Apigee joined the Google Cloud family, we’ve had the opportunity to deploy several of our services to Google Cloud Platform (GCP). Most recently, we completely moved Apigee Sense to GCP to use its advanced machine learning capabilities. Along the way, we also experienced some important performance improvements as judged by a drop in what we call “data litter.”

In this post, we explain what data litter is, and our perspective on how various GCP services keep it at bay. Through this account, you may come to recognize your own application, and come to see data litter as an important metric to consider.

First, let’s take a look at Apigee Sense and its application characteristics. At its core, Apigee Sense protects APIs running on Apigee Edge from attacks and unwanted exploitation. Those attacks are usually performed by automated processes, or "bots," which run without the permission of the API owner. Sense is built around a four-element "CAVA" cycle: collect, analyze, visualize and act. It enhances human vigilance with statistical machine learning algorithms.

We collect a lot of traffic data as a by-product of billions of API calls that pass through Apigee Edge daily. The output end of each of the four elements in the CAVA cycle is stored in a database system. Therefore, the costs, performance and scalability of data management and data analysis toolchains are of great interest to us.

Read the whole story on the Google Cloud Platform blog

Apigee’s Top API Editorials of 2017

2017 was a big year for APIs.

They continued to solidify their position as the mechanism through which value is exchanged in modern economies, with literally quadrillions of API calls connecting apps, data, and systems throughout the world each day.

Apigee experts published dozens of editorials last year, both externally and via our Medium publication, to help developers, IT architects, and business leaders understand how to maximize the value of APIs and keep pace with constant technological change.

Here are some of our top articles from 2017, organized by some of the year’s biggest themes. Thank you to all of our readers, and stay tuned for more in 2018!

API management best practices

The nitty gritty details of API management can be challenging, but Apigee experts are here to help with their observations from the field. Be sure to check out “KPIs for APIs and Digital Programs: A Comprehensive Guide” by Michael Leppitsch and “Building an Outside-In Approach to APIs” by Chris Von See.

APIs and digital transformation

Virtually all companies understand the digital transformation imperative: if you don’t continually use technology to evolve your business, you’ll go out of business.

John Rethans explains why APIs are central to this imperative in his Forbes article, “APIs: Leverage for Digital Transformation.” And to explore why the technologies that businesses have been using for years are simply no longer good enough, read Brian Pagano’s “Legacy IT: Like a Horse on the Autobahn.”

To maximize the leverage John discusses in Forbes, APIs must be managed as products that empower developers—not as middleware. For details, see my article “How APIs Become API Products,” which includes real-world examples from Apigee customers Pitney Bowes, Walgreens, and AccuWeather.  

To appreciate the full scope of an API-first business evolution, check out “Lessons from Magazine Luiza’s Digital Transformation,” in which John interviews the CTO of one of South America’s hottest companies. And to understand where multicloud strategies fit into the mix, read David Feuer’s “Multicloud: Taming the Rookery.”

Caught up on how APIs are used today? For a glimpse into the future of digital transformation and the role APIs will play as new technologies emerge, don’t miss our article in Business Insider,How APIs are Key to Successful Digital Transformation.”

Security

New software vulnerabilities and attacker techniques emerge on a daily basis, so security remained a leading concern for enterprises in 2017. David Andrzejek wrote two of our top articles on the topic. “Using Behavior Analysis to Solve API Security Problems” in Help Net Security examines how user behavior can be monitored in near-real time to identify suspicious behavior and block malicious actors, and “Grinch Bots are out to Spoil the Holidays” in VentureBeat explains how businesses can stop a trend that plagued many online shoppers last year: attackers who use bots to buy up the most in-demand, supply-constrained items.

Digital ecosystems

To adapt to shifts in customer behavior and the competitive landscape, a business doesn’t need to become a platform company, invent new machine learning technologies, or build loads of new software in-house. Instead, it should leverage what others have built to complement its own capabilities, reach new user groups, and explore adjacent markets.

Anant Jhingran and I discuss these ideas in our CIO.com articles “APIs, Ecosystems, and the Democratization of Machine Intelligence” and “Do You Really Want to be a Platform?” For a deep look at these ecosystem dynamics, including a set of simulations, check out Anant and Prashanth Subrahmanyam’s CIO.com article, “3 Golden Rules for Winning in Software-Driven Ecosystems.”

Industry trends

APIs are playing into business strategies in virtually all industries, but there are still scores of specific trends, use cases, and regulatory requirements from one vertical to the next. Some of our top industry-specific stories from 2017 included David Andrzejek’s “Why Haven’t More Banks Embraced Digital Platforms?” in The Financial Brand and Aashima Gupta’s “Voice Interfaces Will Revolutionize Patient Care” in VentureBeat.

Image: Flickr Creative Commons/Jlm Ronan

Apigee Sense: API Protection with Intelligent Behavior Detection

New explainer video

APIs are everywhere. With their pervasiveness comes a whole new set of security threats. They can come in the form of automated software programs that commit brute force attacks, information scraping, and account abuse. They can probe for API security weaknesses and skew analytics.

What’s worse, these threats can be difficult to detect because they blend in with normal API traffic.

That’s where Apigee Sense comes in. Apigee Sense detects, collects, analyzes, and mitigates API attacks, and is purpose-built to protect APIs.

Learn more in this two-minute video.


And visit the Apigee Sense page for details.