Is Open Source a requirement for a Security API?
In a recent developer roundtable discussion XQ held on August 17, 2021, our Head of Corporate Development, Kelby Price, and Zero-Trust expert Junaid Islam spoke with a group of senior developers about their thoughts between open versus closed source as part of their security API’s.
Question: Do you consider open source something that is required when you're looking at different security APIs to integrate into your different applications?
The following is an excerpt of the conversation focusing on the need for open source as part of a security API:
Kelby (11:56):
I would open it out to the floor. From the developers who have joined us today. Do you consider open source something that is required when you're looking at different security APIs to integrate into your different applications? I'll ask Ben first.
Ben Hoffman (12:15):
Yeah. So, I mean, I like to be able to, at least in theory, audit security related code, and that's why I like open source code. Now, in practice I don't really read through it very much. I just trust that the people who are providing it do audit it. The phrase, given enough eyeballs, all bugs become shallow, is, I think, vital, especially on something security related.
Kelby (12:42):
That's really good feedback. Ben, before I go to the next person, do you have any other resources that you currently look at as a trusted advisor in terms of deciding what APIs you do use, and where you go to research those?
Ben Hoffman (13:00):
Yeah. I mean, to be honest our product doesn't have a ton of APIs and external API calls in it right now. We're still working on the core of the product. So, when it comes time to start building more integrations with other systems, I guess the way that I would approach it is, you look at the biggest providers out there and you just have to assume that they have enough money to throw at security.
Kelby (13:27):
Well, thank you so much, Ben. I'll just ask a few more people, and then we'll go on to the next question.
Matthew (13:59):
Bit on the side. Yeah. I'm in a similar boat with Ben, where we don't leverage a ton of external APIs. Definitely open source is a factor in the decision, but it's usually something that we're able to take and propose to our security team, and have them validate whether or not it's going to be healthy and appropriate for us to use.
Kelby (14:27):
Well, thank you. Is there a reason why you guys aren't using external? Is it because you're focusing on the core product right now? Or are you against using external APIs?
Matthew (14:38):
Yeah. We're just focusing on core essentially, and plan to integrate API stuff down the road. But until we get our core offering more rounded out, we don't have the opportunity to use much of the fancier things that we'd like to.
Kelby (14:52):
Valuable. Matt, do you have any websites or platforms or educational sources that you use when you're looking for new APIs?
Matthew (15:06):
Nah. I just like to read the actual API documentation myself, that's usually where I start. And then, no, it's always nice to see if there's a solid community built up. So, you could see if there's a log or any other kinds of frequently asked questions that you might be able to short circuit some of the earlier questions you might have while assessing the API. Sorry for the screaming cat in the background.
Kelby (15:33):
Oh, no. My dog is here too. He is always whining. Thank you so much Matt.
Matthew (15:37):
Welcome.
Kelby (15:39):
One more person before I pass it back to Junaid. Karain, I'm wondering your perspective from an open source perspective first, is that an important factor to you when you're making a decision about using an API, and specifically in security?
Karain (15:58):
Yep. Definitely it's an important factor, because if I talk about myself, I can probably correlate with what [inaudible 00:16:06] was said. I'm not a co-developer to be honest, but I know how the things works at the backend and how the things should work. I am currently mostly working on microservices, and it's very important for microservices to have an API so that different components of microservices can talk to each other. And when it comes to API selection, it depends. And because I have a huge team and it's not just one persons responsibility to look for the API securities, and which APIs to use, which API not to use.
Karain (16:37):
We work as a team, and there are different guys within a team who provide their input, and then probably with the client and with the stakeholders, and with the C level ex... Not with the C level executives, but probably the higher management. We sit together and then we discuss the ways of having better APIs. But personally, if I talk about myself, I've used one off the website, which is called Technology Advice, which probably you can get some APIs, good APIs, and what are the important factors, how the security concerns would get improved and all that. So, this is what I say is.
Kelby (17:27):
Well, I really appreciate that. That's really good. I actually haven't heard of that website, so shortly after this meeting I'll definitely be checking that one out. I'll pass it back to [inaudible 00:17:38] now, to further discuss everything that we've been talking about today. And Junaid, I'm going to put you on the spot now, since you've been putting everyone else on the spot. Would you be able to describe to everyone on the call, the importance of Zero Trust and why... And Junaid has been... He was involved in the original Zero Trust that came to market many years ago, and his focus was really moving away from focusing on securing the network to the data. Junaid, I'd love you to describe to everyone on the call today, why you think that that is so important, and how using it from an API perspective, allows companies to integrate security a lot easier?
Junaid (18:22):
Well, from my perspective it's pretty simple. We wouldn't be having this call, or be talking about Zero Trust. If the existing security solutions are working, and they're not at a massive scale, every few weeks we have a massive ransomware attack, of which credential theft is this oldest security hack, but still lethal. We have all kinds of security vulnerabilities in our power grid, in our infrastructure. So, the question is, what's wrong here? And here's my perspective. You have the software developer ecosystem, which is a trillion dollar ecosystem, it's gigantic. It's the biggest technology ecosystem on the planet. Literally trillions of millions of developers creating everything. And living off of that software developer ecosystem are industries that support it, like the server industry, the cloud compute industry, the mobile phone manufacturing industry, and the security industry. What's happening is people are writing their code, finishing their product, and then they hand it over to somebody.
See It In Action - XQ Github
Grab this code and try for yourself.
For more information on Zero-Trust Data protection: Click here.
For developers, access our developer portal on our website: Click here.
XQ’s API Platform: Click here
To speak with a representative for more information from XQ or want to set up a meeting, contact us at:
