Your SlideShare is downloading. ×
0
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

API Security: Securing Digital Channels and Mobile Apps Against Hacks

725

Published on

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for …

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
725
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
58
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. API Security: Securing Digital Channels and Mobile Apps Against Hacks Sachin Agarwal VP, Product Marketing Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 2. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 3. What is an API? Your Customers Your API Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Your Application
  • 4. APIs – Extend the Reach of your Business Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 5. EVOLUTION OF DIGITAL CHANNELS Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 6. Client-Server/ Web Applications Access locations and variability of operations were limited • No Programmatic Access • Security through network isolation • Limited Users Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 7. Web Services The enterprise opened slightly with Web Services/SOAP • SSL/TLS, Certificate based, PKI, WS-Trust • Some B2B and Partners applications • Complex, but quite secure and flexible Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 8. And then came APIs Disrupting how and where information is accessed • Mobile and Social Apps don’t’ understand PKI, WS-Security, etc. • Focus on human readability, developer adoption Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 9. Realizing End-to-End Security Securing the Backend Managing the User Experience Securing the Channel Securing the App - PII, PHI Enabling Easy Developer Access Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 10. Understanding the Security Landscape Single Sign On API Specific Security • • • • • • MDM ATP, Firewall, VPN etc. Protocol specific threats Key Management OAuth Monitoring Licensing Security Token Mediation Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 11. UNDERSTANDING API SECURITY Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 12. The API Lifecycle API Producers Applications and Services SOAP to REST MobileOptimization Transform & Secure Publish API Consumers OAuth Mediation API Analytics Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Dev. Adoption Monetize API Documentation Apps
  • 13. API Security 5 1 6 Authentication & Authorization 3 2 Content Filtering Message Security App Key Validation/ Licensing 4 Threat Protection Developers Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved. Rate Limiting
  • 14. Authentication/Authorization/SSO Control and restrict access to your APIs Make it easy yet secure Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 15. Understanding OAuth OAuth lets a person delegate constrained access from one app to another Client App Resource Server Resource Owner User Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 16. OAuth Flow Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 17. OAuth – You need OAuth is hard and complicated • OAuth Clients • Provisioning • Approval Flow • OAuth Server • Identity Integration • Token Validation • Token Issue/refresh • Token Mediation (SAML, LDAP etc) • QoS, Monitoring • Policy Management • API Proxying • Reporting • Analytics Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 18. Licensing Package your APIs in different ways Use API keys to restrict what the App can access The licenses control: – – – OAuth Authorization Scopes Document visibility Quota policies Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 19. Message and Parameter Security HTTP Parameter • http://apis.foo.com/resources/sample/foo?app_id=myid&app_key=mykey • Protect API Keys with HMAC – Hash-based Message Authentication Code Message Security • Implement HTTPS • For XML payloads encrypt specific parts of the message Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 20. Threat Protection • • • • • Denial of Service Injection Attacks – Detect and prevent SQL, JavaScript or XPath/XQuery injection attacks Cross Site Scripting Network address and range blacklists/whitelists HTTP Parameter Stuffing Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 21. Content Filtering • Provide a content firewall, protecting against malicious content • • • Validate message content including message headers, form and query parameters, XML and JSON data structures. Policies for XML and JSON DoS Protection against viruses in attachments and other binary content via ICAP integration with leading anti-virus engines Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 22. Quota Management/Rate Limiting Restrict the number of calls an App can make Apply controls based on context, affinity, segmentation etc. Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 23. SOA Software API Gateway Gateway Security Authentication Protection IAM Integration Encryption Mediation Quality of Service Paging/Caching Orchestration Scripting Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 24. The SOA Software API Platform Analytics Developer Engagement Gateway Services Service Integration Lifecycle Management Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 25. Flexible Deployment Model Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 26. SOA Software API Platform Capabilities Platform Lifecycle Gateway API Portal Licensing API/Services Security Search Quota Mgmt. Application Authentication Documentation Partner Mgmt. User Protection Groups PCI Compliance Compliance IAM Integration Social Provisioning Integrations Encryption Policy Mgmt. Mediation Monitoring Quality of Service OAuth Paging/Caching Federation Orchestration Analytics Scripting Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 27. Questions Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.
  • 28. API and SOA Resources • Resource Center – http://resource.soa.com/ • Webinar Recording – http://resource.soa.com/resource/webinars • Follow us on: www.facebook.com/soasoftware www.linkedin.com/company/soasoftware @soasoftwareinc Copyright © 2001-2013 SOA Software, Inc. All Rights Reserved.

×