Building on an insightful dialogue at The European Identity and Cloud Conference, I had the privilege of sharing the stage with industry experts Ingo Schubert (RSA), Ward Duchamps (Thales Digital Identity and Security), and Mark Haine (OpenID Foundation). With stimulating questions from Martin Kuppinger and Mike Schwartz, we dug deep into contemporary topics. Continuing from our previous panel-related post, this post presents the next chapter of our in-depth conversation.
In today’s digital landscape, APIs (Application Programming Interfaces) are the cornerstone of business communication. They enable software applications to interact, opening up vast possibilities for integration and innovation. However, this also introduces an array of security vulnerabilities. To fortify defenses and mitigate these risks, we can harness the power of identity standards like FAPI2 (Financial-grade API). In this guided blog post, we’ll explore the role of FAPI2 in addressing the flaws highlighted by the Open Web Application Security Project (OWASP) in their API:2019 report.
Step 1: Understand the Role of Identity Standards in API Security
Identity standards provide a framework for secure data sharing and interoperability. According to Mayur Upadhyaya, Co-founder & CEO of Contxt, “Standards like OpenID Connect and FAPI2 play an integral role in ensuring safe data sharing and enabling interoperability.”
Action Item: Review your organization’s current API security strategy. Determine whether and how identity standards are currently being used.
Step 2: Address OWASP API:2019 Flaws with FAPI2
OWASP’s API:2019 report identifies the top ten API security risks. To combat these, FAPI2 offers valuable guidance. As Martin Kuppinger, Principal Analyst at KuppingerCole, puts it, “FAPI2 provides guidelines that help developers avoid common pitfalls associated with the OWASP API:2019 flaws. It’s like a blueprint for secure API development.”
Action Item: Analyze the OWASP API:2019 report and identify any vulnerabilities in your API that align with the report’s top ten risks. Consider how FAPI2 guidelines can be used to address these vulnerabilities.
Step 3: Choose the Right Standards
Not all standards offer the same level of security. “It’s essential to choose one that meets your organization’s specific needs and industry requirements,” advises Michael Schwartz, Founder of Gluu.
Action Item: Assess your organization’s needs and industry requirements. Based on these, determine the most suitable identity standards to implement.
Step 4: Balance Security and Usability
While robust API security is paramount, it shouldn’t compromise usability. Ingo Schubert, Global Cloud Identity Architect at RSA, echoes this sentiment, “We must balance security with usability. Overly complex security measures can deter users, while lax ones can lead to security breaches.”
Action Item: Evaluate your current API security measures. Look for opportunities to enhance security without negatively impacting usability.
Step 5: Contribute to the Development of Standards
Participating in the development of standards like FAPI2 allows organizations to influence the security landscape. Mark Haine, Distinguished Engineer at the OpenID Foundation, encourages organizations to take an active role, “API security is a shared responsibility.”
Action Item: Explore opportunities for your organization to contribute to the development of identity standards.
Step 6: Implement a Layered Security Approach
Finally, a layered security approach, incorporating standards like FAPI2 as one of many defenses, can bolster your API security. Alejandro Leal, Research Analyst at KuppingerCole, and Ward Duchamps, Senior Product Strategist at Thales Digital Identity and Security, both endorse this strategy.
Action Item: Design a layered security strategy for your APIs. Ensure that the use of identity standards is an integral part of this strategy.
By following this guided journey, organizations can effectively leverage identity standards like FAPI2 to secure APIs and mitigate the flaws highlighted in the OWASP API:2019 report.