The social network's new API shows uncommon attention to security basics, says Pete Soderling of Stratus Security Technologies By Pete SoderlingLinkedIn’s new API is a big deal. Why? Because LinkedIn’s members are established professionals, and many of them pay for their membership. Privacy and control over their personal information and image is important to their professional well-being. Therefore, the security considerations around the API look a lot more like enterprise API concerns than most. Also see Soderling’s analysis of the recent Twitter hackIn that light, I took a closer look at LinkIn’s API. It’s apparent that the company took significant steps to provide for basic API security. Here are some of those steps: Authentication: Upon applying for a key LinkedIn spits back out both an API key and a secret. (At first sight, both look to be of sufficient length to be cryptographically secure, although we didn’t attempt to prove this.) Compared to the common practice of the day, which is to issue an API key only, it’s significant that LinkedIn is providing a key secret pair for additional security. Good thing — since their API is writable! Authorization: LinkedIn has implemented OAuth, which allows sites to securely implement delegated authorization. OAuth is complicated, but basically it allows a third party site — where an app built against the LinkedIn API will live — to process credentials belonging to a registered LinkedIn user without the third party site itself being able to “see” the user’s credentials. Privacy: LinkedIn has a significant “anti-harvesting” feature built into its API where it only allows you to get profile information for friends that are directly connected to you. This means that you can’t use the API to crawl networks of second or third level contacts in order to build your own repository of LinkedIn user data. LinkedIn is also not providing user’s emails via the API.It’s very important for LinkedIn to take the security of its API seriously based on the amount of private information it’s collected from millions of users. Furthermore, the LinkedIn API allows ‘writes’ back to its platform — notably in the case of status updates, in which third-party developers can update or delete data on the core platform. LinkedIn has obviously given security issues a lot of thought from both an API policy perspective as well as the implementation of actual security controls. But security isn’t easy, especially when a business wants to make an API open *and* still keep it reasonably secure. The two years that transpired between the announcement of the LinkedIn API and its actual launch yesterday is proof that securing APIs isn’t as easy as falling off a log. It takes a lot of time and familiarity with best practices of application security to get it right. Pete Soderling is CEO at API management company Stratus Security Technologies. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe