1. API Security Maturity Model
1. API Security Maturity Model
Concepts
Introducing The API Security
Maturity Model
by Kristopher Sandoval
Originally Published Here
are, whether to trust you, and whether you can do what you
claim to do? That’s the idea behind the API Security Maturity
Model. Today, we’re going to dive into this model and look at
the fundamental approach to security that if offers.
ciency. The API Security Maturity Model model, like the Richard-
son Model, moves from the lowest-maturity to the highest and
can be considered akin to a playbook for how to progress into a
secure platform deployment.
With this in mind, let’s take a look at the specific levels of the API
Security Maturity Model, starting with the lowest maturity level
and moving towards the highest.
Level 0 is really just the starting point for most security, and as
a result, predictably, it’s quite basic in nature – everything in
the rest of this model quite literally builds on top of the basic
authentication systems and the API keys that interact with them
here. Authentication at this level is based upon the notion that
whoever has the key must have it because it’s their key, and
thus, their activity is valid. This “authentication” is then carried
Introducing The API Security Maturity Model 6
While this might seem like a perfect fix for our security concerns
in previous levels, there are a few significant reasons that this
is still not enough. First and foremost, we must ask ourselves
one question – who do we trust? These systems are designed
to be authoritative, and as such, the token systems that come
from them must be impervious and trustworthy in order for us
to consider their tokens as evidentiary.
Additionally, we must ask ourselves about how data gets han-
dled in transit. These tokens get passed forward, and as they
do, they collect more and more data. Accordingly, we must ask
what data is being added, and by whom. If we can’t know for sure
that the data we’re handling is, in fact, the same as when it was
issued, we lose a significant amount of trust in the data as a core
value.
1 Attribute:
2 publisher: Nordic_APIs_Author1
3 publish_Date: 12/1/2019
1 Claim:
2 Nordic APIs say:
3 The publisher is Nordic_APIs_Author1.
Conclusion
Security is not a “one size fits all” equation, but the fundamental
requirements of the system are nonetheless quite universal. The
need to prove that people are who they say they are, and the
need to control access, are fundamental concerns for the mod-
ern web and the systems that drive it. Accordingly, choosing the
correct approach for your given security flow is paramount to
successful communication.