How to handle challenges with API security and efficiency

Apigee CTO Greg Brain discusses how to address key problems with API security when working with the technology.

Many companies are exposing their application program interfaces (APIs) to existing partner firms, internal software developers and customers, but this approach only scratches the surface of what can be done with the technology, according to Apigee Chief Architect Greg Brail. The big payoff in business transformation, value and innovation lies in exposing APIs to people with whom they don't have relationships to get new customers and partners and unleash third-party innovation on their platforms.

Greg Brail Greg Brail

"Exposing APIs dovetails with the fact that everything in the world is connected to the Internet," said Brail, co-author of the book APIs: A Strategy Guide. "APIs are the conduit to every person, every cloud service and every device communicating with each other."

Behind the scenes, APIs provide the communication layer that speeds application modernization, Brail said. In this interview, he explains APIs' role in business transformation and gives advice on handling the key problems -- including API security, accessibility and efficiency.

How are you seeing application development teams use APIs in business transformation and application modernization?

Greg Brail: APIs can make your business transformation happen faster by finding a consistent and safe way to expose internal systems and data to devices that are outside the private network. Nowadays, you can build mobile apps and apps that run on gaming systems, cars and more. Once you have those APIs available, building those apps becomes a matter of building a user interface as opposed to integrating with all these different internal systems. The API enables digital transformation as a layer in front of the legacy application.

The good news is that the Web services movement spurred growing Web services on legacy applications. So, it's less typical nowadays to find legacy apps that don't have a Web services layer. In application modernization, you can deploy an API in front of it. The API tier is handling things like security and caching, hiding the details of that legacy system from the devices and apps that are talking to the API. And then, when the time comes if you want to make a change, you change the API tier and don't have to rewrite all of your code.

When creating APIs, what is the first challenge developers face?

The API enables digital transformation.

Greg Brail,
chief architect, Apigee

Brail: If a company wants to use APIs to build internal apps, to talk to third-party developers, to talk to customers, the first challenge is how to design an API to be as accessible to the developers as possible. The API has to be well documented and easy to learn and use.

Generally, the pragmatic REST (representational state transfer) design principles serve well in these areas, better than coming up with a unique design. REST provides a pattern, one that developers can look at and understand how the API functions. Also, create documentation for on-boarding developers. Allow them to click a button on a Web page and get a credential to access the app, rather than having to track down the phone number of the one person who can help them.

How do developers make sure that an API enables applications to be fast enough so that the end user gets a good experience?

Brail: Efficiency is critical, especially if we're talking about mobile devices. Let's say a company may have internal systems that push a whole lot of information about, but only 75% or 80% of that information might be relevant to the mobile device. There's no sense in sending all that over a slow telco network. Most successful API providers actually have a separate API for each device, one that is completely optimized to give minimum latency and minimum amount of CPU usage on the device. The key is to send back to that device only what it needs to present the best user experience.

What are some API security concerns when businesses expose internal applications to the Internet?

Brail: You can say, "Oh, these are private apps. These are internal apps." Today, though, even internal apps tend to run over the public Internet. There are VPN (virtual private network) solutions out there for mobile devices that connect to the enterprise; but there are cost and complexity barriers to VPN entry. Increasing numbers of companies are not bothering with them.

The common mistake is thinking that it's OK that internal apps run over the Internet, because the internal network is secure. That hasn't been true since the '90s, since the first Windows worm.

To secure APIs, encryption is needed in the right places. Make sure you're using an authentication mechanism that makes sense for mobile devices and APIs. Make sure to use measures like rating limits and threat detection checks to make sure that apps are acting within their bounds, not having unusual traffic patterns or being compromised.

What are some use cases you've seen in using APIs for streamlining communications with customers and suppliers?

Brail: In telcos, one company has, for some years now, a very successful API program for communicating with their suppliers and customers communicate with them. With large telco retailers, you go to a store and buy something. The retailer has to contact the telco and do some provisioning of your phone. In many cases, that happens via an API that the telco has exposed to the retailer. That's one example almost everyone can relate to.

Jan Stafford plans and oversees strategy and operations for TechTarget's Application Development Media Group. She has covered the computer industry for the last 20-plus years, writing about everything from personal computers to operating systems to server virtualization to application development.

Follow us on Twitter @SearchSOA and like us on Facebook.

This was first published in March 2014

Dig deeper on Application programming interface (APIs)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Jan Stafford asks:

Which of the following is the biggest API problem you've struggled with?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close