Open APIs - Risks and Rewards (Øredev 2013)

893 views

Published on

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden.

Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
893
On SlideShare
0
From Embeds
0
Number of Embeds
33
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open APIs - Risks and Rewards (Øredev 2013)

  1. 1. Andreas Krohn Hampus Brynolf Open APIs Risks & Rewards Travis Spencer
  2. 2. Open APIs Risks & Rewards Andreas Krohn dopter
  3. 3. API Application Programming Interface
  4. 4. ‣ HTTP Request API ‣ Machine readable response ‣ JSON ‣ XML
  5. 5. ‣ HTTP Methods ‣ GET, POST etc API ‣ HTTP Headers ‣ URI ‣ Query Parameters ‣ Body
  6. 6. ‣ “Not closed” Open API ‣ Anyone can use it ‣ Free or paid
  7. 7. https://api.stackexchange.com/2.1/questions? order=desc&sort=activity&tagged=api&site=stackoverflow
  8. 8. https://api.stackexchange.com/2.1/questions? order=desc&sort=activity&tagged=api&site=stackoverflow
  9. 9. https://api.stackexchange.com/2.1/questions? order=desc&sort=activity&tagged=api&site=stackoverflow
  10. 10. https://api.stackexchange.com/2.1/questions? order=desc&sort=activity&tagged=api&site=stackoverflow
  11. 11. https://api.stackexchange.com/2.1/questions? order=desc&sort=activity&tagged=api&site=stackoverflow
  12. 12. Open APIs Risks & Rewards Hampus Brynolf intellecta
  13. 13. TWITTER IN SWEDEN
  14. 14. Method 4. Add friends and followers 1. Get from queue No t Fin nis h? Block 3. Save Finnish? 2. Check language
  15. 15. Language analysis • N-gram-based text-categorization – Searches for three letter combinations in words – Considered stable – Worse result with few tweets – http://citeseerx.ist.psu.edu/viewdoc/summary? doi=10.1.1.53.9367
  16. 16. Some data… • 6,171,929 accounts analyzed • < 100 tweets per account analyzed • 15,410,436 swedish tweets identified and downloaded
  17. 17. 600 000
  18. 18. 46% active
  19. 19. 17% very active
  20. 20. Registrations per month
  21. 21. Words in description
  22. 22. Force atlas graph
  23. 23. Finland Sweden Danmark
  24. 24. sport teens celebs IT/tech media & politics education
  25. 25. IT/business/media manga/ anime librarians churches sports media & politics entertainment
  26. 26. IT/tech media & politics entertainment nationalist celebs Gamers sport regional clusters Hiphop
  27. 27. TACK @dreadnallen // Christofer Laurin
  28. 28. ‣ Google ‣ Salesforce Open APIs 10.000+ available ‣ Paypal ‣ Amazon ‣ ProgrammableWeb
  29. 29. ‣ External Innovation ‣ Enable Partnerships Open APIs why? ‣ Make Money ‣ Save Money ‣ Marketing
  30. 30. ‣ More common than Internal APIs Open APIs ‣ System Architecture ‣ Partnerships ‣ Speed to Market ‣ Mobile Applications
  31. 31. ‣ Security concerns Package an API more than just http ‣ Statistics ‣ Developer Portal ‣ Documentation ‣ Community ‣ Pricing & Legal
  32. 32. ‣ Security API Management all but the data ‣ Developer Portal ‣ Monetization ‣ Statistics ‣ Layer 7, 3scale, Apigee, Mashery...
  33. 33. Open APIs Risks & Rewards Travis Spencer twobo technologies
  34. 34. Agenda  Problem: the risks & security challenges  Solution:  the  “Neo-security  Stack”  Result: a secure platform for data access Copyright © 2013 Twobo Technologies AB. All rights reserved
  35. 35. Threats, Dangers & Challenges Copyright © 2013 Twobo Technologies AB. All rights reserved
  36. 36. Identity is Central to a Solution Mobile Security Identity Enterprise Security API Security Copyright © 2013 Twobo Technologies AB. All rights reserved Venn diagram by Gunnar Peterson
  37. 37. The Neo-security Stack Federation SAML / OpenID Connect Provisioning SCIM Identity JSON Identity Suite Delegated Access OAuth Authorization XACML Copyright © 2013 Twobo Technologies AB. All rights reserved
  38. 38. The Neo-security Stack SAML / OpenID Connect SCIM JSON Identity Suite OAuth XACML Copyright © 2013 Twobo Technologies AB. All rights reserved
  39. 39. SAML Identity Provider (IdP)  SAML: proven technology for identity federation and Web SSO  Profiles, bindings, protocols, assertions & metadata  V. 2.1 in the works Copyright © 2013 Twobo Technologies AB. All rights reserved Service Provider (SP)
  40. 40. OpenID Connect  New federation protocol that builds on OAuth 2  Adds identity inputs/outputs to OAuth messages  Related to prior OpenID versions in name only  Compact messages for mobile scenerios  RP / client can determine info about end user  Tokens are JWTs  UserInfo endpoint to get user data Copyright © 2013 Twobo Technologies AB. All rights reserved Grandpa SAML & junior
  41. 41. SCIM  Defines RESTful API to manage users & groups  Specifies core user & group schemas  Supports bulk updates for ingest  Binding for SAML and eventually OpenID Connect Copyright © 2013 Twobo Technologies AB. All rights reserved
  42. 42. OAuth  OAuth 2 is the new protocol of protocols  Composed in useful ways  Addresses old requirements and solves new ones    Delegated access No password sharing Revocation of access Copyright © 2013 Twobo Technologies AB. All rights reserved
  43. 43. JSON Identity Protocol Suite  Suite of JSON-based identity protocols    Tokens (JWT) Keys (JWK) Algorithms (JWA) ▪ Encryption (JWE) ▪ Signatures (JWS)  Lightweight tokens passed in HTTP headers & query strings  Akin to SAML tokens Copyright © 2013 Twobo Technologies AB. All rights reserved
  44. 44. The Neo-security Platform Identity Management System SAML / OpenID Connect API Management System SCIM Copyright © 2013 Twobo Technologies AB. All rights reserved JSON Identity Suite Entitlement Management System OAuth XACML
  45. 45. Building on the Platform Identity Management System API Management System Copyright © 2013 Twobo Technologies AB. All rights reserved Entitlement Management System
  46. 46. Solutions  must  be  ”baked” Copyright © 2013 Twobo Technologies AB. All rights reserved
  47. 47. Solutions  must  be  ”baked” Web SSO Account Management & Provisioning API Security Authorization Copyright © 2013 Twobo Technologies AB. All rights reserved Social Media Aggregation
  48. 48. ‣ Use API without Get Started using open apis authentication ‣ Nobel Prize API ‣ Make request ‣ Parse response
  49. 49. ‣ cURL Get Started using open apis ‣ Postman ‣ Unirest ‣ Java, .NET, Python...
  50. 50. ‣ Identify source Get Started publishing open apis ‣ Design based on external reqs. ‣ Do NOT mimic internal structures ‣ Mashape ‣ Use your own API!
  51. 51. Get Started Pro publishing open apis ‣ Business case, marketing plan etc ‣ Analyze requirements ‣ What to build & what to buy ‣ Build a community!
  52. 52. Thank you nordicapis.com/oredev2013

×