API Security and Management Best Practices

4,568 views
4,157 views

Published on

A look at the high-level considerations for controlling, metering and monitoring APIs from test through to production.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,568
On SlideShare
0
From Embeds
0
Number of Embeds
903
Actions
Shares
0
Downloads
83
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Everyone here needs to choose.Ignore the middle groundAre you fearfulOr are you confident?
  • Token protection, SSL, etc.
  • The new enterprise web is about integration
  • The new enterprise web is about integration
  • API Security and Management Best Practices

    1. 1. API Security and ManagementBest PracticesK Scott MorrisonCTO & Chief ArchitectFeb 26, 2012
    2. 2. Researchers have discoveredthat the national divorce ratehas been falling since 2006…
    3. 3. 2007: 3.6 divorces per 1000 people 2008: 3.5 divorces per 1000 people 2009: 3.4 divorces per 1000 peopleSo, does this mean people are getting better at relationships? Source: Slate http://slate.me/wGf9et
    4. 4. No.
    5. 5. It’s because of the recession.
    6. 6. APIs are like arelationship
    7. 7. They require ^maintenance. very high high
    8. 8. This talk is about how to have a successfulAPI relationship.
    9. 9. Piece of Advice #1
    10. 10. Best Practice #1 It takes two to tango.
    11. 11. The Web wasn’t arelationship
    12. 12. Successfulrelationships are built on trust and equality
    13. 13. Equal, but different
    14. 14. BP #2 Understand and respect the cultural differences.
    15. 15. Client Server
    16. 16. Inside Outside
    17. 17. Us Them
    18. 18. Contractor Regular
    19. 19. PartnerContractor Regular
    20. 20. PartnerNo Affiliation Regular
    21. 21. The New Identity Management API Users API Developers External Internal
    22. 22. APIs change compositionof internal teams Product API CFO Manager Developer Business Security Manager Officer
    23. 23. BP #3 Memorize this simple equation.
    24. 24. API Development != Web Development
    25. 25. Beware of habits
    26. 26. BP #4 Take security away from developers.
    27. 27. Separation ofConcerns API Server API Expert API Proxy Security Expert
    28. 28. BP #5 Trust, but verify.
    29. 29. SQL Injection (courtesyXKCD) Exploits of a Mom Source: https://xkcd.com/327/
    30. 30. BP #6 SSL everywhere.
    31. 31. It’s Cheap
    32. 32. BP #7 It’s still all about access control.
    33. 33. But think hardabout tokens
    34. 34. BP #8 Don’t roll your own.
    35. 35. Security is hardto get right
    36. 36. BP #9 Manage misconfiguration risk with appliances.
    37. 37. Protect theServers API Client Firewall API Proxy DMZ API Server Secure Zone Enterprise Network
    38. 38. BP #10 Engage the developers.
    39. 39. The New Governance Old NewDocumentation WSDL Wiki/BlogDiscovery Reg/Rep SearchApproval G10 Platform EmailEnforcement Gateway GatewayUser Provisioning IAM PortalCommunity What’s that? Forum
    40. 40. The Layer 7 APIDeveloper Portal API Client Firewall iPhone API Developer Proxy API API Server Portal Enterprise Network
    41. 41. To Summarize:  The game has changed Clients need attention  The security problems are the same But the names have changed  Don’t just build APIs Build secure and managed APIs
    42. 42. Don’t Miss @RSA Conference2012  ASEC-402: Hacking’s Gilded Age: How APIs Will Increase IT Risk K. Scott Morrison Friday, March 02 10:10 a.m. Room 302  STAR-402: Enterprise Access Control Patterns for REST and Web API Francois Lascelles Friday, March 02 10:10 a.m. Room 304 Yes, they are at the same time. You must choose…
    43. 43. Picture Credits Antelope Canyon 4 by klsmith– stock.exchg Band silhouettes by mr_basmt– stock.exchg
    44. 44. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.comFebruary 2012

    ×