Easter is upon us and it got me thinking about Easter eggs – not the delicious chocolate ones or the colourful dyed version, but the geeky ones that take the form of hidden features in video game or computer applications. They are an old concept going back to some of the original PC-based applications that I was using waaaay back in the 1980’s (yep, I am as old as dirt!). The thing about computer application or video game ‘Easter eggs’ is that they are never in plain sight and you have to be in-the-know to find them. Application Programming Interfaces, or API’s, are similar to Easter eggs: they are not in plain sight and you have to be more knowledgeable than the average user to even know that they exist.
An API is a method for computer programs to talk to each other; they are small pieces of computer code that are not typically overly complex and they can permit integration of sorts between applications or systems that were built independent of each other. For example, I may build a new application that allows me to buy city transit tickets and I may add an API that permits city transit authorities to link their service to my application. All amazingly boring information for some so why talk about API’s? Well, because they are used everywhere today including social media applications.
Building API’s is a great way to provide connectivity between applications so that they can share information and better integrate services: Facebook, for example, can be linked to your smartphone location services and third party developers can build their own apps and link them to Facebook with API’s as well. Now you should have guessed by now that I am about to ‘drop the other shoe’ and bring up security: API’s provide seamless connectivity between separate applications so it should be obvious that they should only do this in a secure manner. If I build an app tomorrow and I also build a few API’s to go with it so that it can connect to other apps and therefore be more functional and useful then I should be a) testing the security of my API’s before realizing them and b) building my API’s with security in mind. One way to secure API’s is to enforce only authenticated connections with your API’s – this is just like when you login to a computer where you need to provide credentials in order to connect. Ensuring your API’s are stable is also critical so testing them as well as the system(s) they connect to is important.
API’s are not new and neither is the long list of security guidance and advice available for them. You can start by taking a stroll through the Open Web Application Security Project (OWASP) web site and searching there for ‘API’ – you will find specific guidance on securing these ubiquitous programming elements. Think of API’s as an entry door into you home – you want some controls on who can come through that door (to deliver Easter eggs) as well as a way to add some locks and authorize people who want to come in and test it all out!
ANTHONY ENGLISH Vice President, Mariner Security Solutions
PCIP, C|CISO, MCSE, CISSP, CISA, CISM, CGEIT, CRISC, CBCP, CIPP/C, ISO 27001 Master, CTT+, A+, HiTrust Certified CSF Practitioner, ISO27033 Lead Cybersecurity Manager
Anthony is one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards based compliance. He sits on the Standards Council of Canada (SCC) IT Security Techniques committee (MC/ ISO/IEC/JTC 1/SC 27), the Disaster Recovery Institute Canada (DRIC) Certification Committee, Cloud Security Alliance committee on the security of health care data in the cloud and is an Exam Development Volunteer for ISC2. Anthony has worked in utilities, law enforcement, consulting, education, health care, lottery and gaming, auditing and the financial sector.