Saturday, 2 June 2012

Big Security challenges with creating APIs for US Gov agencies

So Barack Obama Directs All Federal Agencies to Have an API 

Here is the White house memo (pdf) which mandates the implementation of  "Digital Government: Building a 21st Century Platform to Better Serve the American People" (pdf).

The good news it that at least security and privacy seems to be taken into account (with it's own chapter and focus)

I haven't read the document but after a skim, it looks like there is more focus on the non-secure-application-development 'security side' of these APIs.

And this could be an issue, since creating APIs is usually done by exposing internal systems or WebServices, which will now need to have much higher level of security than before (when they were connected to much less hostile environment).

I also like the use/focus on Privacy, since that will be a good way to drive coding and application changes.

This is a great opportunity for OWASP community to be involved since there is going to be a lot of API developers out there that could do with some help