, , ,

ThingsFurthering my series on “IoT Device Security Considerations and Security Layers” next in the stack is the Device/Application API’s.

API’s (Application Programming Interface) provide a capability to easily interact with a system. This could be an API to an IoT Sensor that a server application could use to get information from through using a set of common libraries and functions.


APIs often come in the form of a library that includes specifications for routines, data structures, object classes, and variables. In other cases, notably SOAP and REST services, an API is simply a specification of remote calls exposed to the API consumers.

There are a number of steps you can take to secure your API’s:


Follow any standards/security standards available for the systems you are working with. As discussed in previous blog posts standards for the IoT is one area that is still being defined.


Installing only the API’s/libraries you need for your application/IoT Device/IoT Sensor (or un-installing any unused API’s/libraries) 

Secure Messaging

Where feasible using Secure Messaging using a level of authentication ensures that the API is communicating and operating with the right system. This ensures that the IoT Device/Sensor can only interface with the correct system and not accept any rogue requests.

Error Handling

An API should be able to understand what to do when it detects an error condition and what to do when it cant. This is important so false instructions/data cannot be sent to the API to make it fail and then be open to attack.


Using the most up to date version of the API’s/libraries will ensure any bugs or issues have been removed reducing any exposure to attacks that hit known issues. employing a regular patching capability where possible maintains a level of security. It may not be possible to update IoT Devices/Sensors that are embedded, however any server side API’s/libraries should be up to date. This will however increase compatibility testing with the IoT Devices/Sensors to ensure the interfaces still work.

Further Reading

OWASP REST Security Cheat Sheet