Your SlideShare is downloading. ×
CIS14: Protecting Your APIs from Threats and Hacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS14: Protecting Your APIs from Threats and Hacks

124
views

Published on

Sachin Agarwal, SOA Software …

Sachin Agarwal, SOA Software

Overview of common API security hacks and threats and best practices to secure your APIs against these threats such as detection and prevention of Denial of Service (DoS) attacks, malformed messages or excessive XML/JSON depth and breadth, message Encryption and rate limiting, and development and governance methodologies that need to be adopted to ensure security compliance.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
124
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security: Securing Digital Channels and Mobile Apps Against Hacks! Sachin Agarwal! @sachinagarwal!
  • 2. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. What is an API?! Your Application!Your API!Your Customers!
  • 3. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. APIs – Extend the Reach of your Business!
  • 4. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. EVOLUTION OF DIGITAL CHANNELS!
  • 5. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Client-Server/ Web Applications! •  No Programmatic Access! •  Security through network isolation! •  Limited Users! Access locations and variability of operations were limited
  • 6. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Web Services! The enterprise opened slightly with Web Services/SOAP •  SSL/TLS, Certificate based, PKI, WS-Trust! •  Some B2B and Partners applications! •  Complex, but quite secure and flexible!
  • 7. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. And then came APIs! Disrupting how and where information is accessed •  Mobile and Social Apps don’t’ understand PKI, WS-Security, etc.! •  Focus on human readability, developer adoption!
  • 8. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Realizing End-to-End Security! Managing the User Experience! Securing the App - PII, PHI! Enabling Easy Developer Access ! Securing the Channel! Securing the Backend!
  • 9. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding the Security Landscape! •  Protocol specific threats! •  Key Management! •  OAuth! •  Monitoring! •  Licensing! •  Security Token Mediation! API Specific Security! Single Sign On! MDM! ATP, Firewall, VPN etc.!
  • 10. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. UNDERSTANDING API SECURITY!
  • 11. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. The API Lifecycle! Transform & Secure! Publish! Monetize! Dev. Adoption! API! SOAP to REST! Mobile- Optimization! OAuth! Mediation! Analytics! API Documentation! Applications and Services! Apps! API Producers! API Consumers!
  • 12. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Security! 1 Authentication & Authorization! 2 App Key Validation/! Licensing! 3 Message Security! 4 Threat Protection! 5 Content Filtering! 6 Rate Limiting! Developers!
  • 13. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Authentication/Authorization/SSO! Control and restrict access to your APIs! Make it easy yet secure!
  • 14. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Understanding OAuth! OAuth lets a person delegate constrained access from one app to another! User! Resource Owner! Client App! Resource Server!
  • 15. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth Flow!
  • 16. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. OAuth – You need! •  OAuth Clients! •  Provisioning! •  Approval Flow! •  OAuth Server! •  Identity Integration! •  Token Validation! •  Token Issue/refresh! •  Token Mediation (SAML, LDAP etc)! •  QoS, Monitoring! •  Policy Management! •  API Proxying! •  Reporting! •  Analytics! OAuth is hard and complicated!
  • 17. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Licensing! Package your APIs in different ways! Use API keys to restrict what the App can access! The licenses control:! –  OAuth Authorization Scopes! –  Document visibility! –  Quota policies!
  • 18. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Message and Parameter Security! HTTP Parameter! •  http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey! •  Protect API Keys with HMAC – Hash-based Message Authentication Code! ! Message Security! •  Implement HTTPS! •  For XML payloads encrypt specific parts of the message!
  • 19. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Threat Protection! •  Denial of Service! •  Injection Attacks! –  Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks ! •  Cross Site Scripting! •  Network address and range blacklists/whitelists ! •  HTTP Parameter Stuffing! !
  • 20. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Content Filtering! •  Provide a content firewall, protecting against malicious content! •  Validate message content including message headers, form and query parameters, XML and JSON data structures. ! •  Policies for XML and JSON DoS ! •  Protection against viruses in attachments and other binary content via ICAP integration with leading anti- virus engines!
  • 21. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Quota Management/Rate Limiting! Restrict the number of calls an App can make! Apply controls based on context, affinity, segmentation etc.!
  • 22. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Gateway! Gateway! Security! Authentication! Protection! IAM Integration! Encryption! Mediation! Quality of Service! Paging/Caching! Orchestration! Scripting!
  • 23. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. API Resources and API University! •  Resource Center! –  http://resource.soa.com/! •  Webinar Recording! –  http://resource.soa.com/resource/webinars! •  Follow us on:! ! ! www.facebook.com/soaso-ware   www.linkedin.com/company/soaso-ware   @soaso-wareinc    
  • 24. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Questions! •  @sachinagarwal!