How To Secure APIs and Mashups

With exciting new web techniques like open APIs and mashups comes some inevitable security issues. Luckily, there's usually a solution, though it can require a little more effort from developers.

On the API supplier side of the equation, providers are faced with a host of issues. A recent MIT Technology Review article on Warning Issued on Web Programming Interfaces (featuring ProgrammableWeb) discusses some of these:

Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, says that sites that publish APIs can find it hard to discover security flaws in them. He notes that often it's difficult to tell how a third-party site is using an API, and if that site has been compromised by an attacker.

The story also cites a talk given at this summer's DEFCON hacking conference in Las Vegas that focused on API vulnerabilities including "API redirect loops":


and the impact of "API stacks":

But researchers Nathan Hamiel of Hexagon Security Group and Shawn Moyer of Agura Digital Security say that APIs could also be exploited by hackers. They note that several APIs are often stacked on top of each other. For example, an API might be used by the developers of other websites who, in turn, publish APIs of their own. "There could be security problems at the different layers when this sort of stacking happens," Hamiel says.

On the mashup developer side, there's this recent article posted on IBM's developerWorks site that covers some common mashup vulnerabilities. Among the techniques addressed are cross-site scripting and JSON data security. The author also provides some solutions or ideas for each vulnerability.

The security issues with mashups are not much different from concerns web developers should already be considering, especially if using JavaScript and AJAX. The complexity added with mashups is that, when the APIs are also JavaScript, there are more holes which can expose an application.

From the IBM piece:

"This model of development leads to security vulnerabilities that can multiply very quickly: With each new artifact or data source added to a mashup, security vulnerabilities increase. Such open Integration makes it essential to ensure that artifacts and data are tested and secured against malicious intrusions."

Even though the vulnerabilities are the same that we've dealt with on ordinary sites, mashups and APIs are using the web in new ways. That leads to new methods of exploitation, in addition to the great new things that are possible. But as with security issues in the past, the desire to use the new features leads to innovative solutions.

Be sure to read the next Security article: Twitter OAuthcalypse Coming Soon