LinkedIn's API Well-Played on Security

LinkedIn's new API is a big deal. Why? Because the security considerations around the API look a lot more like enterprise API concerns than most.

LinkedIn's new API is a big deal. Why? Because LinkedIn's members are established professionals, and many of them pay for their membership. Privacy and control over their personal information and image is important to their professional well-being. Therefore, the security considerations around the API look a lot more like enterprise API concerns than most.

Also see Soderling's analysis of the recent Twitter hack

In that light, I took a closer look at LinkIn's API. It's apparent that the company took significant steps to provide for basic API security. Here are some of those steps:

* Authentication: Upon applying for a key LinkedIn spits back out both an API key and a secret. (At first sight, both look to be of sufficient length to be cryptographically secure, although we didn't attempt to prove this.) Compared to the common practice of the day, which is to issue an API key only, it's significant that LinkedIn is providing a key secret pair for additional security. Good thing -- since their API is writable!

* Authorization: LinkedIn has implemented OAuth, which allows sites to securely implement delegated authorization. OAuth is complicated, but basically it allows a third party site -- where an app built against the LinkedIn API will live -- to process credentials belonging to a registered LinkedIn user without the third party site itself being able to "see" the user's credentials.

* Privacy: LinkedIn has a significant "anti-harvesting" feature built into its API where it only allows you to get profile information for friends that are directly connected to you. This means that you can't use the API to crawl networks of second or third level contacts in order to build your own repository of LinkedIn user data. LinkedIn is also not providing user's emails via the API.

It's very important for LinkedIn to take the security of its API seriously based on the amount of private information it's collected from millions of users. Furthermore, the LinkedIn API allows 'writes' back to its platform -- notably in the case of status updates, in which third-party developers can update or delete data on the core platform.

LinkedIn has obviously given security issues a lot of thought from both an API policy perspective as well as the implementation of actual security controls. But security isn't easy, especially when a business wants to make an API open *and* still keep it reasonably secure. The two years that transpired between the announcement of the LinkedIn API and its actual launch yesterday is proof that securing APIs isn't as easy as falling off a log.

It takes a lot of time and familiarity with best practices of application security to get it right.

Pete Soderling is CEO at API management company Stratus Security Technologies.

This story, "LinkedIn's API Well-Played on Security" was originally published by CSO.

Copyright © 2009 IDG Communications, Inc.

7 secrets of successful remote IT teams