Mulesoft Bakes Support For Ping's Federated OAuth Into Anypoint

As part of an effort to make application integration more secure, MuleSoft this week announced that it has inked an alliance with Ping Identity to enable developers to more easily leverage PingFederate as an Open Authorization (OAuth) provider from within the MuleSoft Anypoint integration platform.

In addition, MuleSoft also announced that is has been certified as both a PCI-DSS Level 1 and HITRUST service provider and SSAE 16 SOC 2-compliant, which are critical certifications for retail, health care and accounting applications, respectively.

MuleSoft CTO Uri Sarid says that, in general, developers should be relying more on gateways that allow them to consistently apply security policies across multiple APIs. The degree to which a particular API management platform enables that to occur directly impacts both developer productivity and the level of security attached to any API implementation, says Sarid.

With more traditional businesses invoking APIs to expose business processes to partners and customers that are being accessed using a wide variety of mobile computing devices, Sarid says that API security has rapidly risen to become a major issue for developers. Unless developers can essentially prove the project they want to embark on is secure, chances are the project itself will never find its way into production, he says.

Given the complexity of applying security policies to those APIs, Sarid notes that an API management platform gives organizations the option of either having developers directly apply those policies or having the IT operations teams apply the policies to APIs as they are being deployed. In either scenario, those security policies can now be more consistently applied, he says.

For years now, IT organizations have been after developers to build more secure applications. Unfortunately, complexity is often the enemy of security. The more APIs an application invokes, the more vulnerable an application can become. Hackers in particular have become adept at leveraging an exploit in one minor application to compromise entire business processes. In effect, that means an application is really only as secure as its weakest API link.

Of course, part of the problem is the ongoing debate over just who should be responsible for API security. While many cite the need for developers to be intimately involved in security issues, many developers believe security is mainly the responsibility of the IT operations team. By baking security functionality into the API management platform, vendors such as MuleSoft are trying to provide a middle ground where the two camps can more naturally collaborate on creating and applying the appropriate levels of API security.

Michael Vizard