Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar

Security for PHP pages using the Marketo SOAP API

Anonymous
Not applicable
‎02-07-2013 12:00 PM
‎02-07-2013 12:00 PM

Security for PHP pages using the Marketo SOAP API

I'm very interested in setting up custom PHP interfaces for people within my company to interact with Marketo data.

However, I'm not sure how to do this in a secure manner. The examples I've seen (and tried) involve hard-coding our SOAP user ID and SOAP encryption key in the PHP code.

I consulted our resident security expert and he said he'd be OK with this if (1) the php pages were within our firewall and (2) the connection to Marketo was host-bound, so that only calls from within our network would return a result.

I performed a test and was able to query data from Marketo's API from outside our network... not sure if that's something that can be changed, though I'll explore that with Marketo support.

What have other people done to address this? We could really use some custom PHP interfaces, but I can't implement them without more confidence that they won't cause a breach of customer data.

Thanks!

Mark
Tags (1)
0 Likes
619
Reply
3 REPLIES 3
Anonymous
Not applicable
‎02-07-2013 01:27 PM
‎02-07-2013 01:27 PM

Re: Security for PHP pages using the Marketo SOAP API

Hi Mark,

The Marketo SOAP API does accept connections from elsewhere, but because the PHP is server side and kept within your company I'm not sure what the concern is. That said, what you could do is create an internal PHP interface with some IP whitelisting or other security controls which your other systems could call instead of the SOAP API.
0 Likes
585
Reply
Anonymous
Not applicable
‎02-07-2013 02:07 PM
‎02-07-2013 02:07 PM

Re: Security for PHP pages using the Marketo SOAP API

Hi Erik,

We disagree about the risk posed by including carte blanche usernames and passwords in PHP pages (even internal ones). As I have to satisfy security audits at my company, let's assume that this is not permitted.

We do agree about IP whitelisting to prevent the PHP interface itself from being used to pull data. That's basic protection and a prudent approach whenever customer data is involved.

I'm hoping that it will turn out that Marketo has something to offer me here -- perhaps it's a user-by-user preference whether the Marketo SOAP API can be bound only to respond to certain IP addresses (in conjunction with the login credentials).

Or maybe there are some other creative ideas out there? I hope so... I really want to be permitted to use the API in this way.

Thanks!

Mark
0 Likes
585
Reply
Anonymous
Not applicable
‎02-07-2013 02:10 PM
‎02-07-2013 02:10 PM

Re: Security for PHP pages using the Marketo SOAP API

Would it work to create a single PHP endpoint (with the username in it) and then call that with a level of indirection that did the IP filtering?

You're still calling with PHP, but you only have one set of the username/password floating around and could better secure it.
0 Likes
585
Reply
Home