It is said that the heart always flies further and faster than the mind. Perhaps that phrase is too poetic if you want to talk about APIs, but in fact something similar happens with technology and security: the former always flies further and faster than the latter. And there’s almost always a price to be paid. Today nearly everyone talks about the Internet of Things, connected objects and APIs, but rather less about the security needed in this development and business environment.
Some professionals linked to the API economy have been talking for some time about the fact that opening up data and using open application development interfaces could help the development of secure environments by opening up the field so that more eyes can discover errors, anticipating them or resolving them in time. Among them is Kin Lane, one of the most important evangelists on the planet of the use of open APIs. His time sleeping in airports during his trips from one city to another are behind him. He is now supported by companies such as 3scale, Restlet and WS02, three players in the world of APIs, the Internet of Things and development.
He has always established a parallelism between the SDK (software development kits) for hardware and APIs, such as those for the Internet of Things market. After all, application development interfaces are like special SDKs. The problem is that if there is a security or operations fault in an SDK, its effect on an application is resolved with an update and a download, which could cost 2 or 3 euros or be completely free. In a connected object, an error in an API could bring disaster to a much more expensive investment. The room for maneuver is far from being the same.
Spaces for open APIs
The alliance between Lane and 3scale is leading major progress in boosting open APIs. Lane not only gives talks on his evangelizing mission, he also heads up interesting projects within the open API ecosystem, which in many cases improve the security of the final projects. One example is API Commons, a platform on which any developer can put his API under a Creative Commons License (CC BY-SA o CC0) so that other professionals can use it freely and improve it if they wish to.
The other two most important projects are:
– APIs.json: a format for documenting APIs (licenses, prices, policies and technical and business specifications). It is a simple way of facilitating the initial work for developers who aim to use an API to develop an application or to connect objects within the IoT. There is an obvious parallelism between APIs.json and the sitemap.xml of a website. Lane and 3scale have their own generator of API.json formats for APIs.
– APIs.io: a great search engine for APIs on the web. There is now a repository with a volume of 1,029 APIs. Of course, each of these APIs is described through an API.json format.
Security protocols: OAuth2
OAuth2 is a framework for creating protocols, rather than a protocol in itself. Companies such as Google, Facebook, Microsoft and Twitter area already using OAuth2 as an authorization and security system for third-party use of their APIs. The normal protocols when a company develops an API are an API key or typical credentials such as username and password. These types of resources have some security problems, for example, in single page applications (SPA) based on the server side. In these cases, any developer can access the credentials from the browser: it’s a gateway.
OAuth2 allows third parties to connect to an app’s data without the need to have user credentials and a password. Of course, this full or partial access to data may be revoked at any time because access privileges, like user roles, can be modified. The OAuth2 security system is based on what is known as an access token and allows interaction with own systems without having to make these credentials available.
Is OAuth2 a system without security risks? Obviously not. In fact, the level of security offered by OAuth was the cause of a dispute with Eran Hammer, one of the creators of the specification. Hammer claimed at the time that OAuth2 was “more complex and incomplete” and “less secure, interoperable and useful” than OAuth1, above all in native mobile applications, and that is the reason for his break with the IETF group, which is basically responsible for the OAuth2 project. The starting point with this protocol is limited, and if a team of developers wants to use it to provide access to its API, ideally they should have a security expert available.
Advantages of OAuth2
A system using credentials has some problems compared with OAuth2:
– A project based on user credentials and a password needs servers to support password identification. In the case of OAuth, the server using authentication by an access token may be different from the server that stores the protected resources for their use.
– With this security system, the access of third-party applications to resources is too wide-ranging, which greatly weakens the protection and security position of the owner of the API and the data. Unfortunately, it is not possible to limit access either in terms of duration or volume.
– If you want to revoke access to a third party, you must restrict it to all third-party applications that work with the API because it is only possible to restrict access with a change of password. In the case of OAuth, each user has an access token that may be revoked or restricted individually, without this affecting the rest.
The cash flow and payment management departments must consider the way in which payments to suppliers are made, because each type of payment has its own advantages or is better suited to the company’s strategy, the relationship with the supplier, or the respective needs of both. Far from being a trivial matter, choosing the payment […]
Businesses, from self-employed to SMEs and large companies, need financing solutions that suit their needs. Leasing is a method that can optimize the use of resources and which combines business liquidity (or lack of) with the use of assets. What is leasing and how does it work? Leasing is a financing method by which a […]
An API is a very useful mechanism that connects two pieces of software equipment to exchange messages or data in a standard format such as XML or JSON. Thus, it becomes an instrument that can be used to search for revenue, open the doors to talent or innovate and automate processes.
Please, if you can't find it, check your spam folder
×
The email message with your ebook is on the way
We have sent you two messages. One with the requested ebook and one to confirm your email address and start receiving the newsletter and/or other commercial communications from BBVA API_Market
×
PROCESSING OF PERSONAL DATA
Who is the Data Controller of your personal data?
Banco Bilbao Vizcaya Argentaria, S.A. (“BBVA“) with registered address at Plaza de San Nicolás 4, 48005, Bilbao, España and Tax ID number A-48265169 . Email address: contact.bbvaapimarket@bbva.com
What for and why does BBVA use your personal data for?
For those activities among the following for which you give your consent by checking the corresponding box:
to receive newsletter from BBVA API_Market through electronic means;
to send you commercial communications, events and surveys relating to BBVA API_Market to the e-mail address you have provided.
For how long we will keep your data?
We will keep your data until you unsubscribe from receiving our newsletter or, if applicable, the commercial communications, events and surveys to which you have subscribed. Whether you unsubscribe or whether BBVA decides to end the service, your details will be deleted.
How can I unsubscribe to stop receiving newsletters and/or communications from BBVA API_Market?
You can unsubscribe at any time and without need to indicate any justification, by sending an email to the following address: contact.bbvaapimarket@bbva.com
To whom will we communicate your data?
We will not transfer your personal data to third parties, unless it is mandatory by a law or if you have previously agreed to do so.
What are your rights when you provide us with your information?
You will be able to consult your personal data included in BBVA files (access right)
You can modify your personal data when they are inaccurate (correction right)
You may request that your personal data not be processed (opposition right)
You may request your personal data be deleted (suppression right)
You can request a limitation on the processing of your data in the allowed cases (right of limitation of processing)
You will be able to receive, in electronic format, the personal data you have provided to us, as well as to transmit them to another entity (portability right)
You are responsible for the accuracy of the personal data you provide to BBVA and to keep them duly updated. If you believe that we have not processed your personal data in accordance with regulations, you can contact the Data Protection Officer of BBVA at the following address dpogrupobbva@bbva.com.
You can find more information in the “Personal Data Protection Policy” document on this website.
×
PROCESSING OF PERSONAL DATA
Who is the Data Controller of your personal data? Banco Bilbao Vizcaya Argentaria, S.A (“BBVA“), with registered address at Plaza de San Nicolás 4, 48005, Bilbao, España, and Tax ID No. A-48265169. Email address:contact.bbvaapimarket@bbva.com
What for and why does BBVA use your personal data for?
For the execution and management of your request, specifically, download the requested e-book/s.
BBVA informs you that, unless you indicate your opposition by sending an email to the following address: contact.bbvaapimarket@bbva.com, BBVA may send you commercial communications, surveys and events related to products and/or services of BBVA API Market through electronic means.
For how long we will keep your data?
We will keep your data as long as necessary for the management of your request, and to receive commercial communications, events and surveys. BBVA will keep your data until you unsubscribe to stop receiving our newsletters or, where appropriate, until the end of the service. Afterwards, we will destroy your data.
How can I unsubscribe to stop receiving newsletters and/or communications from BBVA API Market?
You can unsubscribe at any time and without need to indicate any justification, by sending an email to the following address: contact.bbvaapimarket@bbva.com
To whom will we communicate your data?
We will not transfer your personal data to third parties, unless it is mandatory by a law or if you have previously agreed to do so.
What are your rights when you provide us with your information?
You will be able to consult your personal data included in BBVA files (access right)
You can modify your personal data when they are inaccurate (correction right)
You may request that your personal data not be processed (opposition right)
You may request your personal data be deleted (suppression right)
You can request a limitation on the processing of your data in the allowed cases (right of limitation of processing)
You will be able to receive, in electronic format, the personal data you have provided to us, as well as to transmit them to another entity (portability right)
You can exercise before BBVA the aforementioned rights through the following address: contact.bbvaapimarket@bbva.com
You are responsible for the accuracy of the personal data you provide to BBVA and to keep them duly updated.
If you believe that we have not processed your personal data in accordance with the regulations, you can contact the Data Protection Officer at the following address: dpogrupobbva@bbva.com
You can find more information in the “Personal Data Protection Policy” document on this website.
Banco Bilbao Vizcaya Argentaria, S.A. owner of this portal uses cookies and/or similar technologies of its own and third parties for the purposes of personalization, analytics, behavioral advertising or advertising related to your preferences based on a profile prepared from your browsing habits (e.g. pages visited). If you wish to obtain more detailed information, consult our Cookies Policy.
Cookie settings panel
These are the advanced settings for first-party and third-party cookies. Here you can change the parameters that will affect your browsing experience on this website.
Technical Cookies (required)
These cookies are used to give you secure access to areas with personal information and to identify you when you log in.
Name
Owner
Duration
Description
gobp.lang
BBVA
1 month
Language preference
aceptarCookies
BBVA
1 year
Configuration Accepted Cookies
_abck
BBVA
1 year
Helps protect against malicious website attacks
bm_sz
BBVA
4 hours
Helps protect against malicious website attacks
ADRUM_BTs
Salesforce Marketing Cloud
Session
Required for monitoring of the service, inherent to SFMC
ADRUM_BT1
Salesforce Marketing Cloud
Session
Required for monitoring of the service, inherent to SFMC
ADRUM_BTa
Salesforce Marketing Cloud
Session
Required for monitoring of the service, inherent to SFMC
ADRUM_BT
Salesforce Marketing Cloud
Session
Required for monitoring of the service, inherent to SFMC
xt_0d95e
Salesforce Marketing Cloud
Session
Remember user preferences (if any)
__s9744cdb192d044faa1bf201d29fafd1e
Salesforce Marketing Cloud
Session
Remember user preferences (if any)
wpml_browser_redirect_test
WPML
Session
Text translation in the portal
wp-wpml_current_language
WPML
24 hours
Text translation in the portal
They are used to track the activity or number of visits anonymously. Thanks to them we can constantly improve your browsing experience
Your browsing experience is constantly improving.
With your selection, we cannot offer you a continuously improved browsing experience.
Name
Owner
Duration
Description
AMCV_***
Adobe Analytics
Session
Unique Visitor IDs used in Cloud Marketing solutions
AMCVS_***
Adobe Analytics
2 years
Unique Visitor IDs used in Cloud Marketing solutions
demdex (safari)
Adobe Analytics
180 days
Create and store unique and persistent identifiers
sessionID
Adobe Analytics
Session
Launch's internal cookie used to identify the user
gpv_URL
Adobe Analytics
Session
Adobe Analytics plugin: getPreviousValue Capture the value of a certain variable in the following page view, in this case the prop1
gpv_level1
Adobe Analytics
Session
Cookie used to store the DataLayer levl1 of the previous page.
gpv_pageIntent
Adobe Analytics
Session
Cookie used to store the pageIntent of the previous page.
gpv_pageName
Adobe Analytics
Session
Cookie used to store the pagename of the previous page.
aocs
Adobe Analytics
Session
Cookie that stores the first values collected at the beginning of a process.
TTC
Adobe Analytics
Session
Cookie used to store the time between the App Page Visit event and the App Completed event.
TTCL
Adobe Analytics
Session
Cookie used to store the time between the LogIn event and App Completed.
s_cc
Adobe Analytics
Session
Determine if cookies are active
s_hc
Adobe Analytics
Session
Cookie used by Adobe for analytical purposes
s_ht
Adobe Analytics
Session
Cookie used by Adobe for analytical purposes
s_nr
Adobe Analytics
2 years
Determine the number of user visits
s_ppv
Adobe Analytics
Permanent
Adobe Analytics plugin: getPercentPageViewed Determine what percentage of the page a user views
s_sq
Adobe Analytics
Session
ClickMap/ActivityMap features
s_tp
Adobe Analytics
Session
Cookie used by Adobe for analytical purposes
s_visit
Adobe Analytics
2 years
Cookie used by Adobe to know when a session has been started.
They allow the advertising shown to you to be customized and relevant to you. Thanks to these cookies, you will not see ads that you are not interested in.
The advertising is customized to you and your preferences.
Your choice means you will not see customized ads, only generic ones.
Name
Owner
Duration
Description
OT2
VersaTag
90 days
VersaTag Cookie used to store a user id and the number of user visits.
u2
VersaTag
90 days
VersaTag Cookie where the user ID is stored
TargetingInfo 2
MediaMind
1 year
Cookie that serves to assign a unique random number that generates MediaMind.
These cookies are related to general features such as the browser you use.
Your experience and content have been customized.
With your selection, we cannot offer you a continuously improved browsing experience.
Name
Owner
Duration
Description
mbox
Adobe Target
9 days
Cookie used by Adobe Target to test user experience customization.
×
Looks like you’re browsing from Mexico, so let’s show you the custom content for your
location. Change
Looks like you’re browsing from Spain, so let’s show you the custom content for your
location. Change
Select a country
In order to access the private area and corresponding sandbox, select the country of the APIs you want to use.