This week on the API Intersection podcast, we chatted with Travis Spencer. As the CEO of Curity, a leading supplier of API-driven identity management, and Co-Founder of Nordic APIs, he brought a great perspective on what we can expect from API security standards in the coming months
Travis joined us to discuss the latest API security trends and where program leaders can get started when it comes to security best practices. On the future of API security, Travis expects to see more openness, more regulation, and higher levels of security. Read on below to learn more about API security best practices.
API Security Trends to Look Out for Right Now
1. Relevant Technologies: OpenID Connect
“There are definitely newer technologies in the last few years; with a lot of work going into the OpenID Foundation and the working group setting that up. Now, we can start to build on top of that,” shares Travis.
The OpenID foundation is for folks who are really conscious or concerned about security, beyond just banks and financial services industry organizations. Their focus is on promoting, protecting, and nurturing the OpenID community and technologies.
OpenID raises the bar on security best practices and is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
“So with all the great work in the authentication and federation space with OpenID Connect, more people are getting to the summit of the mountain that is proper API security. From that, technologies, products, and new standards are popping up, and I think that will only continue as more people make that journey to the summit,” shares Travis.
He predicts that there will continue to be significant drivers increasing the demand for OpenID Connect. Some of these drivers are from protocols and standards that would build on top of OpenID Connect, such as open banking.
“Another thing around the usefulness of OpenID Connect is with distributed identities. These are definitely coming onto the scene and using OpenID as a bridge. This super important technology enables users to be anonymous and private online, while also secure and safe,” shares Travis.
2. Open Banking is Here to Stay
“Open banking [a Stoplight customer] is a massive initiative over here in Europe, the UK, Australia, and Brazil. I think that [it] will expand into other geographies, including the US, Middle East, Hong Kong, and Asia,” shares Travis.
At the center of Open Banking is the belief that a customer’s financial data belongs to them and not the financial institution that holds it. It also allows for payments to be made from account to account without the use of intermediaries. This creates more financial inclusion for individuals and small businesses that might be otherwise left out of certain financial products.
Travis expects the open banking trend to flourish in open finance, open government, open manufacturing, and other open industries sooner rather than later. From that, we can expect to see an increase in demand for APIs. And not just any APIs, but highly secured ones under regulatory requirements to conform to a very high level of security.
3. New Identity Standards
“And then the other big push that I see here is around global identity networks such as GAIN, which is the global identity assurance network,” shares Travis.
Initiatives like GAIN will help to wrap an identity layer around the internet so that people can conduct more safe transactions and more assuredly answer that question of ‘who you are’ online.
As these standards become more popular, it’s essential to balance the need to adhere to these standards while still maintaining a good consumer experience. Travis emphasized the importance of understanding your recommendations and whether these new standards will provide a good user experience for your end-users.
4. Utilizing Hypermedia APIs
“At Curity, we’ve been taking the fact that OpenID Connect is a hypermedia API and consuming that and interacting with that API using a Hypermedia client,” shares Travis.
His team utilizes hypermedia APIs to build into their web application, using a variety of different sophisticated login methods. Hypermedia allows them to manage the entire login process as a sort of state machine. They then utilize that state machine right within the mobile or the web application that the user is already interacting with–creating a simplified user experience.
Utilizing hypermedia APIs helps his team focus on predictability and adaptability when considering all the factors of interacting with the application such as jumping out of the app and losing context, getting stuck with an app on mobile, and users’ geographical locations.
Getting Started with API Security
“So if you’re building scratch applications, I would focus more on how to move on the X Y coordinate and focus on other lower level basics first,” shares Travis, “Once your program evolves out from there then build your first web application.”
Travis emphasizes that they made their OpenID Connect to be a very simple protocol since the hard part (server implementation) is already taken care of by organizations like Curity. That means someone starting from scratch can simply use that and write it within a few lines of PHP or C#, or even in Java.
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management when it makes sense for them.
“If you go to OpenID Foundation, you can find many examples there. And you can find blog posts that will also point you in the right direction,” shares Travis.
He also suggests visiting Curity.io’s website in their “Get Started” section for more tips and tricks. Their community edition of the server is completely free and can be downloaded right away. It’s important to note that security is usually one of the things that takes the longest for most API program leaders to figure out and mature.
“After having visited many places where the word ‘identity‘ hadn’t been spoken in the context of their API program as folks build their APIs (and if you’re building things that connect over the web like that); you need a good security strategy in place from the ground up,” shares Travis.
Visit Curity.io or check out the immense amount of API-related content on the Nordic APIs website to get started with more security best practices. Curity’s Identity Server brings identity and API security together to create secure user access to apps and websites. As always, subscribe to the API Design blog or our podcast for more insights.
For more security best practices and more on API security strategy, check our security trends webinar below.
