To help developers increase the security of their apps, PayPal has updated its developer portal to include a self-service credential provisioning feature.
Applications authenticate with PayPal using client-secret pairs, which function similarly to username-password combinations. Using PayPal's new feature, developers can generate new client-secret pairs whenever they need to. They can also disable and delete existing client-secret pairs.
To rotate credentials in production apps, PayPal allows developers to have two client-secrets that are either enabled or disabled. New client-secrets can be added to an application and tested before the old one is disabled.
Previously, PayPal's developer portal did not offer developers to generate new credentials for their apps in a self-serve fashion. Once a new application was added, developers were provided a single client-secret pair that could not be changed.
Self-Serve Credential Management a Must
That was a significant shortcoming because appropriate management of credentials is crucial to application security, both for developers and API providers. After all, these credentials are literally the keys to the kingdom and in the wrong hands can wreak havoc on API consumers and providers, and the end users they both serve.
Unfortunately, credentials are one of the weakest links in the API security chain. They can be easily exposed through a variety of means, and developers frequently don't take enough care to adequately protect them. For instance, a developer who forgot to remove his Amazon AWS API keys from source code he pushed to his public GitHub account found himself dealing with a $2,000-plus bill when someone obtained the keys and used them. The keys were apparently identified using a bot, of which there are reportedly many that constantly scan GitHub and other services looking for credentials developers have inadvertently exposed publicly.
Self-serve credential management like that PayPal has rolled out don't eliminate the risk of such exposures, but they are a part of the solution. With the ability to disable credentials and create new ones, developers have the ability to take immediate action when they believe their credentials have been compromised, or to easily deal with situations in which a party that no longer needs access to an API may still have credentials, such as when a developer leaves a company.
Credential management capabilities also empower developers to adopt security-minded practices that recognize the importance of credentials. "Regularly updating the client-secret associated with your applications is a security best practice," Gagan Maheshwari, a PayPal Developer Platform architect, explained. "We recommend that [developers] utilize the self-service client-secret rotation feature on the developer portal on a regular schedule for maximum application security."
While such practices don't guarantee security, they are an important part of the security mix and all API providers should be giving their developers the ability to manage credentials in a manner similar to that of PayPal.