APIs are the key to enabling applications to communicate, share information and work together. However, securing APIs and providing the best experiences to users, continue to challenge ISVs and software developers. Ryan Breen, Director of API Management at Cimpress, says in 2020, progress will be made toward new tools that can facilitate API authentication, authorization and security. Breen says to watch for these two advancements:
Prediction: SaaS solutions will provide authorization and API delivery options for businesses that want to bring microservices APIs directly to their customers.
Breen says, “It’s no surprise that Amazon, which builds each component of AWS as a microservice directly addressable by customers, is the closest solution I’ve found. You can write custom authorizers that take in OAuth bearer tokens and convert these into access decisions based on IAM policies. This is really slick stuff, but it does require a lot of configuration and customization on the part of the AWS customers.”
“I think the market need is great enough that someday we’ll see a standards-based, resource-aware API authentication and authorization product from Amazon delivered as a first-class, named product, not an orchestration tucked away in a tutorial,” he says.
Prediction: Browser vendors will start adding mechanisms to secure localStorage.
Breen says it’s recommended, instead, to use HTTP cookies to convey this authentication information as 20 years of incremental security enhancements from the browser community have gradually buttressed cookies from cross-site scripting and cross-site request forgery attacks.”
“For all these reasons, I believe that in 2020 — or, at least, the 2020s — browser vendors will begin rolling out mitigations to help secure localStorage, adding in the moral equivalent of all the mechanisms cookies have been gifted over the last 20 years,” Breen says. “Cookies started out with many of the same security vulnerability localStorage originally had, and only through bolt-ons like the Secure, HttpOnly, and SameSite flags have they acquired all the properties that make them a better choice than localStorage for JWTs. There’s no reason, other than time and energy, why localStorage couldn’t be similarly secured by adding new mechanisms to declare which scripts should be allowed to read and write which values in the store.”