The Security Tools for App Development - STAnD - is a new plug-in that helps application programming interface (API) developers make their APIs secure. It does this by providing a managed security service capable of identifying potential vulnerabilities, together with a catalogue of code hardening techniques that help reduce their exploitation. While tools already exist to secure APIs, none has so far been available for ensuring their secure usage in application creation. STAnD is the outcome of EIT Digital’s new API Assistant Innovation Activity.
Companies are building more and more APIs with mobile applications as the primary use case. As the APIs define the methods of communication between various software components, they are critical to the performance, reliability and user experience of all applications. API development has correlated directly with application development. The API-powered traffic almost tripled from 2014 to 2016 and the growth has not shown any signs of slowing down (The” State of APIs 2016” report by the Apigee Corporation).
Silvio Ranise, the Innovation Activity Leader, says:
“We are in the midst of a digital revolution, where enterprises build APIs to grow their digital business. Those looking to monetise their APIs must ensure that they are easy to use, scalable, and secure. The fact that most companies make their APIs open, as to make it easy for various vendors’ applications to interact with each other, makes the issue of security even more burning. Most application developers are not API security experts, and, to make the situation even more complex, some security issues cannot be tackled at the API layer but must be taken care of in each application using the APIs."
API security is critical to gaining and maintaining users' trust for digital services. This is particularly true in digital health and finance, with the introduction of new legal provisions such as the European Union’s General Data Protection Regulation (GDPR). Given the ubiquity of API-based applications, hackers are increasingly interested in exploiting vulnerabilities derived from wrong API usage in application development.
While tools exist to secure APIs, none has so far been available for ensuring the secure, managed use of APIs in application development. The STAnD plug-in is the EIT Digital "API Assistant" Innovation Activity's response to this need. It will support the secure development of mobile applications and their security assurance as a service.
Silvio Ranise continued:
“STAnD helps API developers to mitigate threats and guarantee legal compliance of mobile applications based on their APIs. It does this by identifying potential vulnerabilities and providing a catalogue of code hardening techniques that help reduce their exploitation. In this way, it reduces financial losses due to cyber-attacks and further promotes the API economy. By stimulating interoperability and exchange of information, STAnD helps to improve privacy and compliance with legal provisions.”
Silvio Ranise believes there is a genuine market demand for STAnD as it is estimated that almost half of all application providers are burdened by maintaining more than 100 APIs, even though a similar number have been developing APIs for no more than five years – and one fifth for only two years.
STAnD looks for a commercial launch in Italy by the end of 2018, followed by Spain and Germany in 2019.
API Assistant is one of EIT Digital’s 10 Digital Infrastructure Action Line's Innovation Activities of 2018. The Digital Infrastructure Action Line focuses on enabling digital transformation by providing secure, robust, responsive, and intelligent communications and computation facilities for markets.
The leader of the API Assistant Innovation Activity is the Italian non-profit public interest research entity Fondazione Bruno Kessler (FBK), which is also responsible also for identity management within the project. The other EIT Digital partners participating are the international financial industry specialist GFT Technologies (business champion and system integrator), the Technical University of Berlin (code analysis and security analysis of API usage), and Poste Italiane (fintech business case with an app developed using the API Assistant).