Welcome!

Microservices Expo Authors: Yeshim Deniz, Kevin Benedict, Liz McMillan, Elizabeth White, Jyoti Bansal

Related Topics: Microservices Expo, Java IoT, Linux Containers, @CloudExpo

Microservices Expo: Article

One Simple Step Can Make Your APIs More Secure

APIs have unique risk profile that must be managed

APIs - application programming interfaces -- are an old technology that has become today's hottest method for getting critical data to mobile apps. APIs are good for business. APIs drove $2 billion in business for Expedia by securely exposing valuable content to its affiliate network.

But there are hidden dangers to using APIs. APIs share many of the same threats that plague the web, but APIs have unique risk profile that must be managed. It is a mistake to think we can secure APIs the same way we secure the web.

But there are some really simple things that anyone implementing an API can do, right now, that will minimize the risk of APIs. Here's one I've pulled from a new eBooklet by Scott Morrison of CA Technologies called Five Simple Strategies for Securing Your APIs. The tip? Turn on SSL for your API and keep it on.

Most of us surf the web every day with no SSL (Secure Sockets Layer), and the only time we use it is when we're on Amazon.com and we're buying a book and need to put in our credit card number. We turn it on to buy the book, and then we turn it off because, in the early days of the web and even up until five years ago, SSL was very costly to run. Web sites were getting hammered by traffic, and using SSL slowed things down even more. There was a whole industry that sold SSL accelerator boards for web servers.

This created a culture of only turning SSL on when we really need it. Even though SSL provides strong security if it's applied correctly, we've gotten used to leaving ourselves open and vulnerable because it once hurt our performance to use it all the time.

People are now bringing that same mentality from the web over to APIs. They might have two APIs, one for buying books and the other for looking up shipping costs. Because the buy book API deals with important information, like credit cards, it gets wrapped in SSL. But the other API gets left in the clear. According to Morrison, this is a bad idea, and he thinks everyone should be using SSL all the time for all APIs, full stop.

Google, for example, has shown us that you can connect to their servers with or without SSL with no penalty in performance. The modern CPU is pretty good at doing the kind of floating point math required to do SSL efficiently. And, perhaps more importantly, the cloud has made CPU resources really cheap. It takes next to nothing to provision a few extra servers to handle any extra workload caused by SSL.

The security gains of turning SSL on for all transactions happening on your API far outweigh the minor performance loss. Not using SSL is an example, says Morrison, of the web mentality coming into the API world and being misapplied. APIs are much more vulnerable to attack than web sites. Not using SSL might once have made sense in the web world, but it certainly doesn't make sense in the API world in 2014. Morrison says we should be applying SSL to every API transaction, full stop.

This covers only one of the five simple tips Morrison shares in his eBooklet, Five Simple Strategies for Securing Your APIs. I think you might find the rest of his suggestions equally insightful and actionable.

More Stories By Jackie Kahle

Jackie is a 30-year veteran of the IT industry and has held senior management positions in marketing, business development, and strategic planning for major systems, software, and services companies including Hewlett-Packard, Compaq, and Gartner. She currently manages the strategy and execution of CA Technologies thought leadership programs. Jackie has an MBA from the Whittemore School, University of New Hampshire, a BA in Mathematics from New York University and is the Vice-Chair of the N.H. State Council on the Arts.

@MicroservicesExpo Stories
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of Soli...
The evolution of JavaScript and HTML 5 to support a genuine component based framework (Web Components) with the necessary tools to deliver something close to a native experience including genuine realtime networking (UDP using WebRTC). HTML5 is evolving to offer built in templating support, the ability to watch objects (which will speed up Angular) and Web Components (which offer Angular Directives). The native level support will offer a massive performance boost to frameworks having to fake all...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
The rise of containers and microservices has skyrocketed the rate at which new applications are moved into production environments today. While developers have been deploying containers to speed up the development processes for some time, there still remain challenges with running microservices efficiently. Most existing IT monitoring tools don’t actually maintain visibility into the containers that make up microservices. As those container applications move into production, some IT operations t...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
Hardware virtualization and cloud computing allowed us to increase resource utilization and increase our flexibility to respond to business demand. Docker Containers are the next quantum leap - Are they?! Databases always represented an additional set of challenges unique to running workloads requiring a maximum of I/O, network, CPU resources combined with data locality.
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and micro services. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your contain...
An overall theme of Cloud computing and the specific practices within it is fundamentally one of automation. The core value of technology is to continually automate low level procedures to free up people to work on more value add activities, ultimately leading to the utopian goal of full Autonomic Computing. For example a great way to define your plan for DevOps tool chain adoption is through this lens. In this TechTarget article they outline a simple maturity model for planning this.
The rapid growth of hyperscale IaaS platforms that provide Serverless and Software management automation services is changing how enterprises can get better Cloud ROI. Heightened security concerns and enabling developer productivity are strategic issues for 2017. The emergence of hyper-scale Infrastructure as-a-Service (IaaS) platforms such as Amazon Web Services (AWS) that offer Serverless computing, DevOps automation and large-scale data management capabilities is changing the economics of so...
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
Updating DevOps to the latest production data slows down your development cycle. Probably it is due to slow, inefficient conventional storage and associated copy data management practices. In his session at @DevOpsSummit at 20th Cloud Expo, Dhiraj Sehgal, in Product and Solution at Tintri, will talk about DevOps and cloud-focused storage to update hundreds of child VMs (different flavors) with updates from a master VM in minutes, saving hours or even days in each development cycle. He will also...
Thanks to Docker, it becomes very easy to leverage containers to build, ship, and run any Linux application on any kind of infrastructure. Docker is particularly helpful for microservice architectures because their successful implementation relies on a fast, efficient deployment mechanism – which is precisely one of the features of Docker. Microservice architectures are therefore becoming more popular, and are increasingly seen as an interesting option even for smaller projects, instead of being...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
SYS-CON Events announced today that Outlyer, a monitoring service for DevOps and operations teams, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outlyer is a monitoring service for DevOps and Operations teams running Cloud, SaaS, Microservices and IoT deployments. Designed for today's dynamic environments that need beyond cloud-scale monitoring, we make monitoring effortless so you...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo 2017. The @DevOpsSummit at Cloud Expo New York will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and @DevOpsSummit at Cloud Expo Silicon Valley will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets. By creating abundant, high-quality editorial content across more than 140 highly targeted technology-specific websites, TechTarget attracts and nurtures communities of technology buyers researching their companies' information technology needs. By understanding these buyers' content consumption behaviors, TechTarget creates the purchase inte...