Welcome!

Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Latest Blogs from Francois Lascelles
I just found out we had record attendance for Wednesday’s API Tech Talk. Clearly, there’s an appetite for the topic of OAuth risk mitigation. With our digital lives scattered across so many services, there is great value in technology that lets us control how these service providers in...
The adoption of cloud by organizations looking for more efficient ways to deploy their own IT assets or as a means to offset the burden of data management drives the need for identity federation in the enterprise. Compounding this is the mobile effect from which there is no turning bac...
So twitter’s oauth keys have leaked. What does that mean? Don’t panic. The consequences of a client application’s key being compromised is as serious as user credentials being compromised. The risk associated with this breach is that a malicious application tricking you in participatin...
Are you a token distributor? If you provide an API, you probably are. One thing I like about tokens is that when they are compromised, your credentials are unaffected. Unfortunately, it doesn’t work so well the other way around. When your password is compromised, you should assume the ...
One of the common misconceptions about OAuth is that it provides identity federation by itself. Although supporting OAuth with federated identities is a valid pattern and is essential to many API providers, it does require the combination of OAuth with an additional federated authentic...
API Management Platforms come in different shapes and sizes: cloud based infrastructure, on-premise infrastructure, multi-tenant SaaS, single provider portals, API ecosystems, etc. In this 3rd part on API management deployment models, lets look at some of the considerations in choosing...
Despite how simple it is to support, compressing API traffic is an often-overlooked optimization. In situations where an API returns verbose resources, compressing the payload is a great way to reduce latencies. JSON and XML are highly compressible formats for example. APIs targeting m...
Cloud Identity Summit was definitely worth the trip. The talks were great, the audience was great, and the venue was outstanding. Sign me up for next year in Napa. It’s beautiful and quiet at Vail Cascade this morning. As I stepped outside, I’m pretty sure I saw SAML scurrying away in ...
The idea of delegating the authentication of a user to a 3rd party is ancient. At some point however, a clever (or maybe lazy) developer thought to leverage an OAuth handshake to achieve this. In the first part of this blog post, I pointed out winning patterns associated with the popul...
If I were to measure the success of a federated identity system, I would consider the following factors: End user experience (UX); How easy it is for a relying party to participate (frictionless); How well it meets security requirements.   I get easily frustrated when subjected to bad ...
When talking about API management, the first thing that comes to mind is a public API, one that is open for anybody to consume, provided a certain level of registration. Obviously, the most famous APIs are the public ones, potentially known to anybody. However, such APIs only represent...
OAuth 2.0 seems to be on everybody’s mind these days. I can’t remember an emerging standard picking up interest so fast. The Layer 7 OAuth toolkit evolved through three stages over the last couple years and I’m proud to say that I was involved right from the beginning. It was first dev...
The CEO of competitor API Management provider Mashery recently mentioned a post I wrote discussing tradeoffs of infrastructure vs service based solutions when it comes to API management. Unintentionally, my original post has apparently hit a nerve. Oren suggests that a “true” clo...
Last week, I had the pleasure of discussing REST access control patterns with Enterprise Architects and partnering technology folks. I also had the opportunity to present on this topic and one of the questions that came up afterwards was from a security architect who was unsure whether...
Tokens are at the center of API access control in the Enterprise. Token management, the process through which the lifecycle of these tokens is governed emerges as an important aspect of Enterprise API Management. While some of this information is created during OAuth handshakes, some ...
The Enterprise is buzzing with API initiatives these days. APIs not only serve mobile applications, they are increasingly redefining how the enterprise does B2B and integration in general. API management as a category follows different models. On one hand, certain technology vendors of...
A lot has changed about the state of OAuth since I last presented at RSA Conference. Last year, the enterprise was screaming for standardized mechanics to provide access control to their APIs. Back then, OAuth was merely on the Enterprise Architect’s radar. It’s now safe to say that OA...
In terms of OAuth enterprise tooling, a lot of focus is given to OAuth-enabling APIs exposed by the enterprise itself. Naturally, the demand for this reflects today’s reality where the enterprise is increasingly playing the role of an api provider. However, many enterprise integration ...
The Cisco Ace XML Gateway (AXG) product is quickly nearing its end of life. Last year, Layer 7’s field team completed a number of successful AXG replacement projects and the rate of such projects has since picked up considerably. Layer 7 is now releasing the Cisco ACE XML Gateway Migra...
The payment card industry data security standards (PCI-DSS) requires increased controls of cardholder information to minimize credit card fraud. Although PCI-DSS compliance is specific to the payment industry, the principles of securing user or subscriber information from leaks or cybe...
A common use of API keys for authentication of web api consumption is to ask the requester to just include the key directly in the URI parameters of the web API call as illustrated below: http://apis.acme.com/resources/blah/foo?app_id=myid&app_key=mykey The term ‘key’ in this case...
Are you still considering rolling out a major Enterprise Service Bus (ESB) stack — you know, the kind that involves a massive initial investment and takes 8+ months to deploy? This wasteful approach was a major factor in doomed corporate SOA initiatives that were common between 2003 an...
The most important token format that you need to support for your web apis and RESTful web services these days is: anything. So many platforms define their own authentication/authorization mechanism with what seems to be little concern for standardized formats: API keys here, HMAC sign...
Two weeks ago, I posted about SOA Gateway trends that have been emerging lately. If you are interested in this topic or if you are in the process of setting up an SOA infrastructure, you will not want to miss tomorrow’s (Jan 27, 2011) webinar : “How to Choose a SOA Gateway:...
We’ve been getting a number of field requests lately for handling case insensitive URLs. That is, resolving something like http://foo/blah the same way as http://foo/Blah and any other case mutation. Of course, URLs are meant to be case sensitive by definition (not the scheme and host ...
It has been fascinating to witness how the use for SOA gateways evolved over time. In 2010, we saw an explosion of market demand for our gateway appliance product. Here are my thoughts for what I expect to see this year and beyond. Recent use cases for these types of devices largely fo...
A common question relating to REST security is whether or not one can achieve message level integrity in the context of a RESTful web service exchange. Security at the message level (as opposed to transport level security such as HTTPS) presents a number of advantages and is essential ...
The current trend of moving enterprise applications to SaaS-style public cloud solutions is raising a number of concerns regarding security and governance. What about integration though? In the now legacy enterprise, various applications are deployed within the same trusted network und...
Today, I found out that some of our field engineers have started getting use cases from enterprise users where OAuth is used for handling authorization to their resources. Although OAuth is an increasingly common way of authorizing access to resources hosted by an external service prov...
Service orientation is about agility. Without a resulting agility, there is no point of doing SOA. Unfortunately, enterprise SOA infrastructure initiatives sometimes fail in part because its security mechanisms and processes demolish any agility that was built into the SOA itself. This...
I often get asked about ‘REST to SOAP’ transformation use cases these days. Using an SOA gateway like SecureSpan to perform this type of transformation at runtime is trivial to setup. With SecureSpan in front of any existing web service (in the DMZ for example), you can virtualize a RE...
With Google launching its new cloud-based enterprise apps marketplace these days, many people are paying closer attention to a maturing overall cloud offering. One of its components which caught my attention today is ironically something that you are meant to install enterprise-side: t...
Existing brokered authentication standards such as SAML Web Browser SSO or OpenID accommodate RESTful web services for browser driven use cases. However, what about RESTful service composition patterns where identities need to be propagated across nested service invocations, or any RES...
Although certain RESTful web services are of a ‘public’ nature and do not have specific security requirements such as authentication and authorization, any service that has an entry point from an untrusted network is subject to attack and proper threat protection measures are always an...
As the enterprise is increasingly taking notice of WOA (Web Oriented Architecture) these days, the need for security guidelines and standards for RESTful Web services is becoming more pressing. Sure, RESTful Web services are meant to borrow existing security mechanisms from the web and...