• Share
  • Email
  • Embed
  • Like
  • Private Content
API Security and Management Best Practices
 

API Security and Management Best Practices

on

  • 3,187 views

A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

Statistics

Views

Total Views
3,187
Views on SlideShare
2,380
Embed Views
807

Actions

Likes
0
Downloads
38
Comments
0

4 Embeds 807

http://www.layer7tech.com 804
http://layer7.com 1
http://www.layer7.com 1
http://131.253.14.66 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Token protection, SSL, etc.
  • The new enterprise web is about integration
  • The new enterprise web is about integration

API Security and Management Best Practices API Security and Management Best Practices Presentation Transcript

  • API Security and ManagementBest PracticesK Scott MorrisonCTO & Chief ArchitectFeb 26, 2012
  • Researchers have discoveredthat the national divorce ratehas been falling since 2006…
  • 2007: 3.6 divorces per 1000 people 2008: 3.5 divorces per 1000 people 2009: 3.4 divorces per 1000 peopleSo, does this mean people are getting better at relationships? Source: Slate http://slate.me/wGf9et
  • No.
  • It’s because of the recession.
  • APIs are like arelationship
  • They require ^maintenance. very high high
  • This talk is about how to have a successfulAPI relationship.
  • Piece of Advice #1
  • Best Practice #1 It takes two to tango.
  • The Web wasn’t arelationship
  • Successfulrelationships are built on trust and equality
  • Equal, but different
  • BP #2 Understand and respect the cultural differences.
  • Client Server
  • Inside Outside
  • Us Them
  • Contractor Regular
  • PartnerContractor Regular
  • PartnerNo Affiliation Regular
  • The New Identity Management API Users API Developers External Internal
  • APIs change compositionof internal teams Product API CFO Manager Developer Business Security Manager Officer
  • BP #3 Memorize this simple equation.
  • API Development != Web Development
  • Beware of habits
  • BP #4 Take security away from developers.
  • Separation ofConcerns API Server API Expert API Proxy Security Expert
  • BP #5 Trust, but verify.
  • SQL Injection (courtesyXKCD) Exploits of a Mom Source: https://xkcd.com/327/
  • BP #6 SSL everywhere.
  • It’s Cheap
  • BP #7 It’s still all about access control.
  • But think hardabout tokens
  • BP #8 Don’t roll your own.
  • Security is hardto get right
  • BP #9 Manage misconfiguration risk with appliances.
  • Protect theServers API Client Firewall API Proxy DMZ API Server Secure Zone Enterprise Network
  • BP #10 Engage the developers.
  • The New Governance Old NewDocumentation WSDL Wiki/BlogDiscovery Reg/Rep SearchApproval G10 Platform EmailEnforcement Gateway GatewayUser Provisioning IAM PortalCommunity What’s that? Forum
  • The Layer 7 APIDeveloper Portal API Client Firewall iPhone API Developer Proxy API API Server Portal Enterprise Network
  • To Summarize:  The game has changed Clients need attention  The security problems are the same But the names have changed  Don’t just build APIs Build secure and managed APIs
  • Don’t Miss @RSA Conference2012  ASEC-402: Hacking’s Gilded Age: How APIs Will Increase IT Risk K. Scott Morrison Friday, March 02 10:10 a.m. Room 302  STAR-402: Enterprise Access Control Patterns for REST and Web API Francois Lascelles Friday, March 02 10:10 a.m. Room 304 Yes, they are at the same time. You must choose…
  • Picture Credits Antelope Canyon 4 by klsmith– stock.exchg Band silhouettes by mr_basmt– stock.exchg
  • For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.comFebruary 2012