Can Bluemix help API Harmony be a trusted source?

The emphasis here is on trusted. The lack of a proven security assessment of APIs raises a lot of concern over how to trust them. With API Harmony suggesting solutions to IBM Bluemix users, the question is what is IBM going to be doing to assure customers? For example, if IBM is going to be suggesting APIs to customers it is likely that the APIs will be seen as ‘IBM approved’.

In order to do that IBM needs to show that it is examining and checking every API to be sure that they are secure. After the rash of Open Source APIs that have been shown to be insecure lately, this is a serious issue. We asked IBM a number of questions as to what it was planning to do:

  • How is IBM doing security validation on the APIs? For example, is it doing a full security scan on the APIs before they are added to BlueMix?
  • Is there a set of requirements for third-party API vendors to meet before submitting an API?
  • At what point will you require security scans to reassure potential users of the API’s that they are safe to use?
  • Will you be added an “approved by IBM” tag to the APIs to prove that they are secure?
Arjun Natarajan, Distinguished Engineer; API Economy and Solution Ecosystem, IBM
Arjun Natarajan, Distinguished Engineer; API Economy and Solution Ecosystem, IBM

We emailed these questions over to IBM and got the follow response from Arjun Natarajan, Distinguished Engineer; API Economy and Solution Ecosystem:

“API Harmony is a cognitive API advisor that makes API recommendations to help application developers easily find and use “compatible” APIs best suited for their application. A smart, contextual search for APIs.

 “API Harmony is available as a Bluemix service and is built around an API data set and a cognitive engine. Note that the APIs in API Harmony themselves are not added to Bluemix, though of course, Bluemix services with APIs will probably be available in API Harmony (e.g., Watson offerings).

 “API Harmony analytics and recommendations will continue to become increasingly sophisticated as new data points are ingested and analyzed – new data on APIs, usage, etc.

 “The vision is to build a robust set of public APIs through open and community driven efforts like the Open API initiative that we’re also announcing.  In addition we expect to harvest APIs from public sources and allow self-registration.

 “Registering an API requires a minimum amount of information like API name, URL to API, description, end points, data formats, security protocols. Providing additional information like cost, SLAs, etc. allows users of API Harmony to make more informed choices.

 “Again, API Harmony represents APIs from multiple service providers and we use meta information about the APIs to navigate them and make recommendations. An app developer would need to work out consumption terms with the API provider.”

Sadly Natarajan chose not to answer our questions over security. This is disappointing as the questions were clear and easy to answer. Before customers start to rely on API Harmony IBM needs to make sure that it deals with the issue of security around APIs to reassure customers.

Conclusion

The announcement of API Harmony and its ability to find APIs to speed up development is a great idea by IBM. The fact that it can be carried out under the IBM API Management tools means that customers should be able to limit the risk from the APIs that are suggested.

For those customers using Bluemix Local that will be good news as they can develop and even socialise their own APIs for internal use. They could also make those APIs available to line of business customers who want to integrate their applications with those used by the enterprise.

The fact that IBM are a founding member of Swagger is exciting although it will be interesting to see just how quickly it exposes APIs to all of its applications. This will be a key proof point for IBM’s commitment to the API Economy.

Before any of this can happen, however, IBM needs to answer the questions over security of APIs that we asked it and prove that API Harmony will not expose the enterprise to security risks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here