VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Intel XML, XML Magazine

Blog Feed Post

APIs - the weak security link in IoT / Home Automation - How an API Gateway can help

ProgrammableWeb recently had a story about how Randy Westergren detected that the API into his home controller system was insecure. As he mentions, the response was "No, there is no authentication, your local network is supposed to be safe environment and protected from outside world using Wi-Fi passwords and firewalls" and a recommendation to use a proxy for security.

So this is obviously a bad thing, right? But wait... From a security point of view, it can often be a good thing to deploy a proxy to enforce security. A proxy, or Gateway, acts as a security enforcement point and means that the developers of the API can focus on building the API itself. The API Gateway is specifically designed for security. Last night at the Boston API Craft meetup, I used this slide which explains the API Gateway pattern (adapting a slide from my colleague Daniel Wille - thanks Dan!):


An API Gateway like Axway's API Gateway implements standards such as OAuth and OpenID Connect . This saves the developers from this trouble. It also implements API threat detection, checking for attacks like SQL Injection or (for older style APIs) XML based attacks like the XML Bomb. An API Gateway also does quota management and API usage throttling, plus orchestration of APIs.

Product APIs

You can think of APIs into home automation systems as an example of "Product APIs". Randy Heffner of Forrester often talks about the important of  Product APIs as a class of APIs, which are sometimes overlooked. In his recent report "A Developer’s Guide To Strategies For API Success", Randy says:
"...you must start by understanding the four major categories of APIs: open Web, B2B, internal, and product APIs. The first three of these are commonly discussed in the industry, sometimes using the monikers public, partner, and private APIs. The fourth category, product APIs, is not often discussed, but is critical as an alternate perspective into brainstorming possible APIs and business ecosystems."
https://www.forrester.com/A+Developers+Guide+To+Forresters+Strategies+For+API+Success/fulltext/-/E-res122957
Product APIs can be too fine-grained for external consumption, and indeed they may just "do what they need to do" from a functional standpoint, purposefully leaving security up to a proxy or Gateway. It sounds like this was true in the case of the home automation APIs which Randy Westergren mentions. As well as security, the Gateway provides more value for Product APIs, by orchestrating them into more high-level APIs which are more suitable to high-level consumption.

So next time you hear of a Product API like a home automation API not having security built in, think of how an API Gateway can help. 

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.