PayPal Introduces Easy Way to Secure Apps and APIs
FREMONT, CA: PayPal updates its developer portal with self-service credential provisioning feature to increase the security of developer’s apps.
In the API environment, credentials get exposed through various means when pushed to public hub and leads to misuse of keys by the other users, if not protected adequately. So the developers need to regularly change the client-secrets that are used for the applications.
PayPal simplifies the credential rotation process with its self-service feature on the developer portal, where it provides greater flexibility to the developers in rotating credentials per their own schedule.
The new feature enables authentication for the applications using client-secret pair, similar to username-password combination. Here developers can generate new client-secret pairs whenever required and can disable and delete existing pairs if necessary.
Traditionally, developers cannot generate new credentials for their apps in a self-serve manner. With the addition of new feature, developers can have a single client secret pair which once created cannot be changed. To rotate credentials in production apps, developers are now provided with two client-secrets either enabled or disabled where a new client-secret can be added to an application and tested before the old one is disabled.
Self-serve credential management (SSCM) enables developers and API providers to manage the credentials efficiently delivering high rate application security. As credentials get exposed through various means in public hub, there might be a misuse of keys by the other users connected to that hub if left unprotected. SSCM paves the way to secure the API credentials by blocking its access in case of compromise and security concerns.
The best practices of client-secret rotation include: rotating client-secrets when credential custodians change; deleting the disabled client-secret pair after validating the applications with the new client-secret; disabling a “client-secret” immediately when suspected that credentials have been compromised as application will stop working until it is integrated with a new client-secret in “Enabled” status.
"Regularly updating the client-secret associated with your applications is a security best practice," said Gagan Maheshwari, Developer Platform Architect, PayPal . "We recommend that developers utilize the self-service client-secret rotation feature on the developer portal on a regular schedule for maximum application security."
By James Seevers, CIO & GM, Toyoda Gosei
By Bill Krivoshik, SVP & CIO, Time Warner Inc.
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Alberto Ruocco, CIO, American Electric Power
By Bruce. D. Smith, SVP & CIO, Information Systems, Advocate...
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Graham Welch, Director-Cisco Security, Cisco
By Michael Watkins, Senior Product Director, Global Knowledge
By Bernd Schlotter, President of Services, Unify
By Patrick Hale, CIO, VITAS Healthcare
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Bill Dow, SVP and General Manager of Business Solutions,...
By Jim Whitehurst, CEO, Red Hat
By Darren Cockrel, CIO, Coyote Logistics, a UPS Company...
By Nathan Johnson, SVP and CIO, Werner Enterprises [NASDAQ:...
By David Tamayo, CIO, DCS Corporation
By Neil Hampshire, CIO, ModusLink Global Solutions, Inc....