An Insider’s View on Product Management

April 26, 2009

On OAuth vulnerability and open standards

Filed under: Product Management,Technology — Gregory @ 7:51 pm
Tags: , , ,

OAuth is the protocol of choices for delegating authorization access in the Open APIs world. As a user it allows me to share private resources stored on one site with another site without having to hand out my username and password. The protocol is commonly supported by companies like MySpace, Google, Yahoo and Twitter on their Open APIs. Last week, a vulnerability was discovered in the OAuth protocol. The identified security threat is known as a session fixation attack. You can find more details about the attack’s specificities in Eran Hammer-Lahav’s excellent post. The Oauth community reacted quickly and did a fantastic job in handling the situation. It was an impressive display of individuals, small and big companies working together for solving the issue. Among the heroes, Eran masterfully coordinated the community’s response; Twitter generously accepted to shut down its OAuth service, and take the blame from its users’ base to avoid suspicions. Google, Yahoo and others offered time and resources to help solving the problem… The story is better told in Marshall Kirkpatrick’s blog.

On the other hand, the incident also showcased the difficulties in managing serious incidents for open standards. When the vulnerability was first identified and acknowledged, there were no procedures in place to alert the community and manage the issue. OAuth’s website contains a list of companies that have implemented the protocol, but this list is incomplete and does not contain contact information. Consequently, the initial alert sent by email missed numerous companies; some companies were not listed or contacts information were incorrect. Similarly there were no designated leaders to drive the community response. Fortunately Erin stepped up to the task and others followed suit.

A related issue for open standards, is the lack of enterprise vendors’ support. Traditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the specification. An enterprise software architect who wants to add OAuth support, does not have many options and often ends up directly reusing the open source libraries developed by the community, even if his team misses security knowledge and training to use the libraries properly. As a result there are almost as many OAuth powered services as there are -slightly- different implementations of the protocol. This raises some valid security concerns… By contrast, an enterprise willing to support other trust protocols such as SAML and WS-Trust can rely on structured standard organizations and a variety of vendors. In case of incidents, the enterprise can also be assured that processes are in place to cope with the situation and that communication channels are properly defined.

In conclusion, because of OAuth members’ dedications, the incident of last week ended up as a great and inspiring story. However this episode also outlined some of the weaknesses and sometimes relative immaturity of open standards. OAuth clearly suffers from a lack of processes to respond to urgent situations, as well as a lack of support from recognized software vendors. Those vendors are primordial to bring legitimacy to standards protocols and to define proper governance processes in case of incidents. Until governance and maturity issues are addressed, OAuth will have trouble to prosper and get adopted beyond the Web 2.0 crowd… and enterprises should be careful, before jumping too fast on the bandwagon.


April 11, 2009

Open API

Filed under: Business Strategy — Gregory @ 11:35 pm
Tags: ,

Open APIs or Web APIs are playing an increasing role in companies’ web strategies. In the past Web APIs were often decried as developer’s eccentricities with no business merit. However the success of companies like Amazon, Ebay, SalesForce or Twitter has changed the general attitude and brought a lot more interest to the subject. Let’s take a look at some of the most remarkable successes. Last year, Amazon announced that its API traffic had surpassed its website traffic and the trend is accelerating:

  • Twitter  is believed to get 10 times more requests through its APIs than its website.
  • Salesforce, arguably the most successful SaaS company, has probably more than 40% of its traffic going through APIs and is aggressively promoting the AppExchange platform to attract even more developers.
  • Google surfing on the popularity of its Maps API, keeps adding new services to its already impressive list and seems to be determined to become the single biggest service provider.

Others are following suit and trying to catch on the phenomenon. We can include in the race companies like Microsoft with its mashup editor or the New York Times, that is offering through an API every articles the paper has written since 1981.

It’s becoming undeniable that the API wave promises to reshape the internet landscape with the multiplication of mashups, widgets and other 3rd party applications. Indeed APIs promote participation and collaboration of end-users and transform the web from a static place to a dynamic environment. But behind the hype of those well documented success stories, should every company adopt an API strategy? That’s what we will explore in another post.

Create a free website or blog at