Rethinking Application Programming Interface (API) Security


Over the last couple of decades, business models have changed enormously due to, at least in part, the digital transformation and the astronomical demand and supply of new applications and services. To catch up with the increasing pressure from the businesses, the newly envisioned services must be realized within no time. Application Programming Interface (API) is a mechanism that has enabled the rapid development and availability of services, scalability, and sharing of services and value among different stakeholders. In other words, APIs are the new business trend among the enterprises. APIs provide a direct access to the business-logic of the applications and data which is of paramount importance for the enterprise to deliver their services without any delay and share the data with partners. However, despite the exciting features of APIs and their undisputed important role in the enterprises, APIs lure cyber attackers and suffer from a number of attacks. This phenomenon makes them a double-edge sword where on one hand APIs help in scaling the business of an enterprise, but on the other hand, they introduce new attack vectors and new points of vulnerabilities. Recent researches have shown that cyber attackers are targeting APIs to attack enterprises because APIs are (possibly) the easy targets to launch attacks. Furthermore, the availability of computation and communication resources render other intelligent techniques (such as Artificial Intelligence) feasible for security in the cyber domain. The rationale for using Artificial Intelligence (AI)-based techniques and different breeds of AI in security, is their applicability and effectiveness in detecting and mitigating cyber-attacks. In the same spirit, AI, Machine Learning (ML), and Deep Learning (DL) have been used to protect APIs against misuse and different kinds of attacks. In this talk, the security requirements and the current state of API security will be discussed. From the security solutions standpoint, this talk will reflect on the current solutions for API security and their shortcomings that will lead us to discuss the role of AI, ML, and DL in API security. Furthermore, this talk will also touch upon the General Data Protection Regulation (GDPR) compliance of API security. Towards the end of the talk, we will identify some of the current trends and pressing issues in the API security that need immediate attention with respect to ML and DL.


Rasheed Hussain received his B.S. Engineering degree in Computer Software Engineering from University of Engineering and Technology, Peshawar, Pakistan in 2007, MS and PhD degrees in Computer Science and Engineering from Hanyang University, South Korea in 2010 and 2015, respectively. He worked as a Postdoctoral Fellow at Hanyang University, South Korea from March 2015 to August 2015. He also worked as a guest researcher and consultant at University of Amsterdam (UvA), The Netherlands from September 2015 till May 2016 and as Assistant Professor at Innopolis University, Innopolis, Russia from June 2016 till December 2018. Currently he is an Associate Professor and the Director of Institute of Information Security and Cyber-Physical Systems at Innopolis University, Innopolis, Russia. He is also the head of Networks and Blockchain Lab at Innopolis University and serves as an ACM Distinguished Speaker. He is a senior member of IEEE, member ACM, and serves as editorial board member for various journals and symposium chair for IEEE ICC 2021 CISS symposium. He is a certified Trainer for Instructional Skills Workshop (ISW), Canada, and a recipient of Netherland’s University Teaching Qualification (Basis Kwalificatie Onderwijs, BKO). His research interests include information, network, and cyber security, applied cryptography, security and privacy in Vehicular Ad Hoc NETworks (VANETs), vehicular clouds, and vehicular social networking, Internet of Things (IoT), Content-Centric Networking (CCN), API security, and blockchain for constrained environment. He is currently focusing on Digital Twins (DTs) security, Unmanned Aerial Vehicles (UAVs) and Autonomous Vehicles (AVs) security, role of Artificial Intelligence (AI) in IoT, and eXplainable AI (XAI).