For those of you who are just beginning to familiarize yourselves with our services, the SkyBiometry APIs are basically software interfaces based on broadly accepted industry standards which we as a cloud service provider make available to users for the purpose of integrating facial recognition and facial detection technologies in any web or mobile development project. Our decision to provide a cloud API based biometrics as a service, is intended to make the most common biometrics functions and processes easier to integrate and less compute resource intensive easier for developers to adopt for their consumer or enterprise projects.
Being aware of the primary concerns our users have when adopting cloud technologies, we understand very well that delivering biometrics via a cloud API creates concerns regarding risks related to confidentiality, integrity, availability and accountability of the service provider. Now, even though the security of the API is the sole responsibility of the provider, i.e. us in this case, we figured it might be useful to share or approach to analyzing the security of our cloud API yourself.
Some of the major areas, a user looking to integrate any API including ours, should watch out for before making the commitment are:
- Authentication & authorization – you need to start by asking these following questions: Does the API offer management of two-factor authentication attributes? Does the API offer encryption management of the usernames and passwords?
- Message protection – In order to make sure that the messages exchanged between you application and the cloud API are safe, consider whether the API addresses key concerns like message structure, integrity validation, communication encryption and encoding etc.
- Transport security – any API that interacts with or transmits sensitive data, needs to be protected withing a secure channel like SSL/TLS. This being the case though, you need to make sure that any limitations or prerequisites related to configuration issues with various platforms, end-to-end protection and certificate authorities are appropriate for you client or end users.
- Code and development practices – as an API that passes JSON messages and accepts input from users and applications, our service is adequately tested for all standard injection flaws and CSRF attacks, schema validation, I/O encoding, etc.
Once you have a good grasp of the key security requirements for your project and the issues that can be caused by an insecure API, you can move on to implement some security best practices. First start out by evaluation the provided documentation and check whether it includes existing application assessment results and reports that demonstrate security best practices. For custom subscription clients we would even help you determine the suitability of our API security by allowing sharing of results for penetration tests and vulnerability assessment performed against our API. Finaly, you can always rely on our security policies for the creation, dissemination, storage and disposal of API keys supported by an access and authentication mechanism that keeps your projects secure.