Enterprise Security APIs
DEVELOPMENT IN SUPPORT OF APPLICATION SECURITY
Enterprise Security APIs
We can further improve application security by
developing reusable software that provides securit...
Vulnerability Management Lifecycle
Prevent
Detect
Remediate
Prevent
Best practices and testing
Detect
Discover, assess...
Application Security
•Policy enforcement and trainingPrevent
•Monitor, scan and reviewDetect
•Management and resourcingRem...
Development happens
…AND SECURITY TOO
Authentication API
Loosen coupling to the system
Enforce policy
More control and granularity
Standardize across applic...
Cryptography API
Ensure that best practices are followed
Standardize key management
Stop storing secrets in configurati...
CSRF Encrypted Token
Detect and remediate as a separated concern
Use the Cryptography API
API backed Application Security
•Security built-in by expertsPrevent
•Purpose built monitoringDetect
•The fix is the APIRe...
Creating an API
…THAT DEVELOPERS WANT TO USE (THAT’S THE HARD PART)
Getting started
Derive from existing use-cases
Get input from the application developers
Start with simple but extensib...
Maintenance
Refactor for extensibility
Use Semantic Versioning
Support the developers who use it
Help developers proac...
Other concerns
Use a façade to abstract third-party components
Simplify and constrain
Use open source
Modularity is ke...
What’s important
Ease of use
Developers have to want to use it
So make the developer’s life easier
Modularity and port...
Remember to…
Create APIs to address application security concerns
Make them easy for developers to use
Make them easy t...
Thanks!
Adam Migus: www.migusgroup.com/adam
Email: adam@migusgroup.com
Twitter: @amigus
Links:
http://en.wikipedia.org/wik...
Upcoming SlideShare
Loading in …5
×

Enterprise Security APIs

347 views
224 views

Published on

Development in support of application security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Enterprise Security APIs

  1. 1. Enterprise Security APIs DEVELOPMENT IN SUPPORT OF APPLICATION SECURITY
  2. 2. Enterprise Security APIs We can further improve application security by developing reusable software that provides security centric functionality, makes it easier to develop secure software or both.
  3. 3. Vulnerability Management Lifecycle Prevent Detect Remediate Prevent Best practices and testing Detect Discover, assess and rank Remediate Catalog, prioritize and fix
  4. 4. Application Security •Policy enforcement and trainingPrevent •Monitor, scan and reviewDetect •Management and resourcingRemediate
  5. 5. Development happens …AND SECURITY TOO
  6. 6. Authentication API Loosen coupling to the system Enforce policy More control and granularity Standardize across applications Consistent user experience
  7. 7. Cryptography API Ensure that best practices are followed Standardize key management Stop storing secrets in configuration
  8. 8. CSRF Encrypted Token Detect and remediate as a separated concern Use the Cryptography API
  9. 9. API backed Application Security •Security built-in by expertsPrevent •Purpose built monitoringDetect •The fix is the APIRemediate
  10. 10. Creating an API …THAT DEVELOPERS WANT TO USE (THAT’S THE HARD PART)
  11. 11. Getting started Derive from existing use-cases Get input from the application developers Start with simple but extensible (SOLID) Beware of anti-patterns! Abstraction Inversion Bullet-point engineering
  12. 12. Maintenance Refactor for extensibility Use Semantic Versioning Support the developers who use it Help developers proactively Implement fixes and extensions quickly Triage issues quickly
  13. 13. Other concerns Use a façade to abstract third-party components Simplify and constrain Use open source Modularity is key so choose and integrate carefully Use OpenID Connect or SAML at the boundaries
  14. 14. What’s important Ease of use Developers have to want to use it So make the developer’s life easier Modularity and portability Low barrier to integration
  15. 15. Remember to… Create APIs to address application security concerns Make them easy for developers to use Make them easy to integrate
  16. 16. Thanks! Adam Migus: www.migusgroup.com/adam Email: adam@migusgroup.com Twitter: @amigus Links: http://en.wikipedia.org/wiki/Solid_(object-oriented_design) http://semver.org/ http://openid.net/connect/

×